安全地在jQuery移动应用程序中本地存储用户密码 [英] securely store user password locally in a jquery mobile app

问题描述

我需要访问一个api，它需要使用jquery mobile api在每个用户的基础上进行http验证。

I need to access an api which requires http authentification on a per user basis using a jquery mobile api.

我打算将应用程序作为网站

I plan to make the app available as a website as well as packaging it in Cordova for various devices.

如果我有一个捕获用户名和密码并将其存储为javascript变量的登录表单，是否有任何方式数据可以被暴露？

If I have a login form which captures the username and password and store this as a javascript variable, is there any way this data could be exposed?

如果是这样，处理存储用户验证详细信息的最佳替代方法是什么？如果我不需要，我就不建立中间服务器了。

If so, what's the best alternative to handle storing the users authentification details? I am reticent to build an intermediary server if I don't have to.

很感谢。 ：D

推荐答案

我建议不要在localStorage中存储用户名或密码，而是存储访问令牌。访问令牌可以经常更新和更改，也不会显示用户是谁或他们的哈希密码是什么。

I would suggest not storing the username or password in the localStorage, but instead to store an access token. Access tokens can be updated and changed frequently, it also doesn't reveal who the user is or what their hashed password is.

除了iOS Keychain或如果你编码对于非iPhone设备，您可以：

Besides iOS Keychain or if you're coding it for a non-iPhone device for added security you can:

• 在每次登录和每次使用应用程序时更改访问令牌


• 将设备ID存储在服务器数据库中（请参阅 http://docs.phonegap.com/en/2.2.0/cordova_device_device.md.html#device.uuid ）


• 清除
  

• Change the access token at each login and each time the app is used
• Store the device ID in the server database (see http://docs.phonegap.com/en/2.2.0/cordova_device_device.md.html#device.uuid)
• Clear the localStorage and request a new login if the access token or device ID doesn't match the data stored in the database

请确保您已经完成了所有的访问令牌或设备ID不要将设备ID存储在localStorage中。

Make sure you don't store the device ID in the localStorage.

为了增加安全性，您还可以将用户的IP地址存储在数据库中，并检查，但是这可能过多，因为用户每次在新位置连接到互联网时或者如果他们的IP地址改变时必须登录。

For added security you can also store the user's IP address in the database and check (server side) if the IP address matches, but this might too much since the user would have to login every time they connect to the internet in a new location or if their IP address changes.

存储IP地址在服务器数据库中，然后检查它是否匹配（服务器端）可能是最安全的，因为如果有人拥有localStorage数据没关系。

Storing the IP address in the server database then checking if it matches (server side) would probably be the safest since it wouldn't matter if someone got hold of the localStorage data.

这篇关于安全地在jQuery移动应用程序中本地存储用户密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！