如何使用Javascript保存登录凭据? [英] How to save login credentials using Javascript?
问题描述
我想将与第三方服务的集成添加到针对Android / iOS(以及更高版本的Windows Phone)的Web应用程序(以HTML和Javascript开发)。因此,我可以使用所有现代功能。此第三方服务需要凭据,并通过GET参数进行控制。
例如,请求网址应类似于 http://www.example.org/foo?username=user&password= 1234。
I want to add integration with a third-party service to a web application (developed in HTML and Javascript) which targets Android / iOS (and later Windows Phone). Thus I have access to all "modern" features. This third-party service needs credentials and is controlled via GET-Parameters.
For example, a request url could look like "http://www.example.org/foo?username=user&password=1234".
由于无法访问第三方服务,因此无法接受哈希密码。
Changing the third-party service to accept hashed passwords is no option as I have no access to it.
由于用户不想在每次使用服务或启动应用程序时都输入用户名和密码,因此我想以某种方式保存其凭据。
As the user does not want to type in his username and password every time he uses the service or starts the application, I want to save his credentials somehow.
现在,我想知道这样做的最佳方法是什么。
我知道真正的安全性在这里是一种幻想,但我不想通过以错误的方式保存凭据而使凭据面临不必要的风险。
Now I wonder, what's the best way to do so.
I know that real "security" is an illusion here but I do not want to expose the credentials to unnecessary risks by saving them the wrong way.
我已经考虑了几种可能的方法
I already thought about several possible ways
- 普通饼干:最多b $ b的直接方式-在这种情况下,安全
是否足够? - DOM存储:
这种
关系中的cookie有什么区别? - 加密的Cookie:
凭据将被加密,但是在查看$ b $的源代码时,您可以轻松地找到
密钥
b页面或对其进行调试。
我应该选择哪个?有什么更好的方法吗?
容易被破解时,对加密的困扰实际上值得吗?
Which one should I choose? Are there any better ways?
Is bothering with encrpytion actually worth it when it can be cracked that easily?
推荐答案
所有方式都是糟糕且不安全的。那么发送用户名和密码作为获取参数-您甚至可以通过https来运行它吗?
All the ways are bad and insecure. So is sending username and password as a get param - you even run this over https?
通常这样做的方法是根本不存储用户名/密码,但可以识别用户会话的GUID /哈希,然后让该会话持久化。
The way to do this usually is to not store the username/password at all, but a GUID/hash that identifies the users session, and then let that session be persisted.
这样,即使其他人可以访问该会话,他们也不会拥有用户名/密码。因此,除非提供了现有密码,否则人们无法更改密码。
That way, even if somebody else gets access to the session, they won't have the username/password. As part of this, people cannot change the password unless they supply the existing.
如果绝对需要通过后端代理连接到第三方服务并通过第三方代理进行身份验证,用户名/密码已发送。
Connect to and authenticate with the 3rd party service through a backend proxy if it absolutely needs to have username/password sent.
这篇关于如何使用Javascript保存登录凭据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
