保留身份验证令牌AngularJS [英] Persisting authentication token in AngularJS
问题描述
我建立一个AngularJS应用程序与使用认证令牌来验证用户的API进行交互。一切似乎都做工精细,但我有办法坚持正确的请求之间的身份验证令牌挣扎。
I'm building an AngularJS application that interacts with an API that uses authentication tokens to authenticate users. Everything seems to be working fine, but I'm struggling with a way to properly persist the authentication token between requests.
目前,当用户使用正确的凭据登录在的authToken 被返回,我设置了关于 $ rootScope.authToken 。我也送了未来的请求身份验证令牌,但如果我做硬重装重装与F5网页 $ rootScope 被清除,我必须再次进行身份验证。
At the moment, when a user logs in with correct credentials an authToken is returned, and I'm setting that on $rootScope.authToken. I'm also sending that auth token for future requests, but if I do a hard reload reload the webpage with F5 $rootScope gets cleared and I have to authenticate again.
我知道我可以存储的authToken在cookie,但是这将是最安全的方法是什么?我是最好使用本地存储来存储令牌?如果使用本地存储,是不是会得到,当用户重新启动他们的浏览器清除?我最想要的登录会持续几天。
I'm aware I can store the authToken in a cookie, but would that be the most secure way? Am I better off using local storage to store the token? If local storage is used, would that not get cleared when the user restarts their browser? I'd ideally like the login to persist for a few days.
推荐答案
首先,我不知道你的的authToken 不过是的localStorage 的伟大工程(和生存的浏览器重新启动),只要你的的authToken 相对防篡改或者通过某种形式加密或随机数。
Firstly, I'm not sure what the format of your authToken is but localStorage should not be used for any sensitive data. Using localStorage works great (and survives browser restarts) as long as your authToken is relatively tamper-proof either through some form of encryption or nonce.
从本质上讲,你应该小心,由于值是看得见的它应该被假定为可能的修改或所有客户端的用户增量。
Essentially, you should be careful that since the value is "visible" to all client-side users it should be assumed to be possible to modify or increment.
你有没有想过登录会话撤销?例如,如果你想注销的所有的活跃应用程序的会话,你会怎么做呢?因为的authToken 存储客户端,您可能需要添加时间戳(或其他一些独特的价值),它可以检查服务器端。
Have you thought about revocation of login sessions? For example, if you want to log out all active sessions of your application, how would you do it? Since the authToken is stored client-side, you may need to add a timestamp (or some other unique value) to it that can be checked server-side.
这篇关于保留身份验证令牌AngularJS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
