如何验证签名的cookie在前端是否有效？ [英] How to verify signed cookies are valid on the front-end?

问题描述

我正在开发一个React应用程序。我正在定义用户角色，并根据角色的权限级别限制对组件的访问。我正在寻找使用签名的cookie从php后端设置权限的方法。当我确定应用程序是否应基于cookie中的数据来呈现组件时，如何验证用户未将cookie发送给后端而不重新定义cookie中的角色？

I'm working on a React application. I am defining user roles and restricting access to components based on the permissions level of the role. I am looking in to using signed cookies to set the permissions from a php backend. When I determine whether the application should render a component based on the data in the cookie, how do I verify that the roles in the cookie have not been redefined by the user without sending the cookie to the backend?

推荐答案

我认为这不是正确的方法。这些组件应该可以自由加载-如果某个组件内置了某些组件，未经身份验证的用户将无法看到这些组件，则没有什么可以阻止某人进入源并自己发现它。

That's not the right approach, in my opinion. The components should be free to load - if there's something built-in to a component that an un-authenticated user shouldn't be able to see, there's nothing stopping someone from going into the source and discovering it themselves.

对于前端应用程序，您必须采取其他方法-所有组件和UI都是公开的。当组件从服务器获取信息以显示给用户时，服务器仍将进行会话身份验证并以4xx响应（401是一个很好的起点），并且组件将适当地处理该响应。

You have to take a different approach for front-end applications - all the components and UI are public. When the component fetches information from the server to display to the user, the server will still do the session authentication and respond with a 4xx (401 would be a good place to start) and the component would handle that response appropriately.

这篇关于如何验证签名的cookie在前端是否有效？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！