身份验证和会话管理的 SPA 最佳实践 [英] SPA best practices for authentication and session management
问题描述
在使用 Angular、Ember、React 等框架构建 SPA 风格的应用程序时,人们认为哪些是身份验证和会话管理的最佳实践?我可以想到几种方法来考虑解决这个问题.
When building SPA style applications using frameworks like Angular, Ember, React, etc. what do people believe to be some best practices for authentication and session management? I can think of a couple of ways of considering approaching the problem.
假设 API 和 UI 具有相同的原始域,那么对待它与使用常规 Web 应用程序进行身份验证没有什么不同.
Treat it no differently than authentication with a regular web application assuming the API and and UI have the same origin domain.
这可能涉及拥有会话 cookie、服务器端会话存储和一些会话 API 端点,经过身份验证的 Web UI 可以访问这些端点以获取当前用户信息,以帮助进行个性化,甚至可能确定客户端的角色/能力.当然,服务器仍然会强制执行保护数据访问的规则,UI 只会使用这些信息来定制体验.
This would likely involve having a session cookie, server side session storage and probably some session API endpoint that the authenticated web UI can hit to get current user information to help with personalization or possibly even determining roles/abilities on the client side. The server would still enforce rules protecting access to data of course, the UI would just use this information to customize the experience.
将其视为使用公共 API 的任何第三方客户端,并使用某种类似于 OAuth 的令牌系统进行身份验证.客户端 UI 将使用此令牌机制对向服务器 API 发出的每个请求进行身份验证.
Treat it like any third-party client using a public API and authenticate with some sort of token system similar to OAuth. This token mechanism would used by the client UI to authenticate each and every request made to the server API.
我不是这方面的专家,但 #1 对于绝大多数情况似乎完全足够,但我真的很想听听一些更有经验的意见.
I'm not really much of an expert here but #1 seems to be completely sufficient for the vast majority of cases, but I'd really like to hear some more experienced opinions.
推荐答案
此问题已得到解决,形式略有不同,详细内容如下:
This question has been addressed, in a slightly different form, at length, here:
但是这是从服务器端解决它的.让我们从客户端看一下.不过,在我们这样做之前,有一个重要的前奏:
But this addresses it from the server-side. Let's look at this from the client-side. Before we do that, though, there's an important prelude:
Matasano 在这方面的文章很有名,但其中包含的教训非常重要:
Matasano's article on this is famous, but the lessons contained therein are pretty important:
总结:
- 中间人攻击可以轻松地用
