在本地存储中存储凭证 [英] Storing Credentials in Local Storage

问题描述

我可以安全地使用本地存储而不是 cookie 来存储会话凭据吗?

Could I securely use local storage instead of cookies to store session credentials?

我需要存储加密的哈希吗??

Would I need to store an encrypted hash??

这是否足够安全?

• 用户登录.

• User logs in.

服务器返回成功消息，包括salted bcrypt hash 混合用户ID、密码、时间戳和可能的IP 地址.这保存在本地存储中.

Server returns success message including salted bcrypt hash mixing userid, password, timestamp, and possibly ip address. This is saved in local storage.

在以后的连接中发送这个散列，只要 IP 地址没有改变，并且时间限制没有过期，服务器就会承担责任.

On future connects this hash is sent, server assumes accountability as long as IP address hasn't changed, and time limit hasn't expired.

推荐答案

localstorage 与 cookie 一样容易被 JavaScript 读取.

localstorage is just as vulnerable to being read by JavaScript as cookies are.

localstorage 可以使用 same 域中的 JavaScript 读取，如果您控制域上的所有 JS，那么这应该不是问题.但是如果执行任何其他代码(例如通过注入，或者如果您与其他人共享域)，他们将能够访问存储数据.

localstorage can be read using JavaScript from the same domain, if you control all the JS on the domain, then this shouldn't be a problem. But if any other code is executed (via injection for example, or if you share the domain with someone else), they will be able to access the storage data.

这对于 cookie 来说是一样的，但通常 cookie 被设置为 HTTPOnly，因此 JavaScript 无法读取它.

This is the same for cookies however, but typically the cookie is set to HTTPOnly so JavaScript cannot read it.

无论哪种情况，纯文本登录信息都不应该存储在 cookie 或 localstorage 中，好像有人确实掌握了它们，他们可以不断地为自己创建一个新会话.

In either case, plain-text login information shouldn't be stored in either cookies or localstorage anyhow, as if someone does get hold of them, they can continuously make a new session for themselves.

您应该加密经过身份验证的标识符(例如他们的用户 ID)以及会话到期的日期时间，然后将此值存储在 cookie 或本地存储中.然后在每次服务器调用时验证此令牌.

You should encrypt an authenticated identifier (such as their user ID) along with the datetime of the session expiration, and then store this value in either a cookie or local storage. This token is then validated on each server call.

这篇关于在本地存储中存储凭证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！