将凭据存储在本地存储中 [英] Storing Credentials in Local Storage
问题描述
我可以安全地使用本地存储而不是Cookie来存储会话凭据吗?
我需要存储一个加密哈希吗?
编辑:这是否足够安全? p>
-
用户登录。
-
服务器返回成功消息,包括salted bcrypt哈希混合用户标识,密码,时间戳和可能的ip地址。这将保存在本地存储中。
-
将来连接发送这个哈希值,只要IP地址没有改变,服务器承担责任,时间限制hasn不要过期
localstorage与JavaScript一样容易被JavaScript读取, 。
如果您控制域上的所有JS,则可以使用相同的域中的JavaScript来读取localstorage,那么这不应该是一个问题。但是,如果执行任何其他代码(例如通过注入,或者如果您与其他人共享域名),他们将能够访问存储数据。
对于Cookie而言,Cookie是一样的,但是通常将Cookie设置为HTTPOnly,因此JavaScript无法读取。
在任一种情况下,不应存储明文登录信息无论如何,如果有人抓住他们,他们可以不断地为自己创建一个新的会话。
你应该加密认证的标识符(例如其用户ID)以及会话到期的日期时间,然后将该值存储在cookie或本地存储中。然后在每个服务器呼叫上验证此令牌。
Could I securely use local storage instead of cookies to store session credentials?
Would I need to store an encrypted hash??
EDIT: Would this be secure enough?
User logs in.
Server returns success message including salted bcrypt hash mixing userid, password, timestamp, and possibly ip address. This is saved in local storage.
On future connects this hash is sent, server assumes accountability as long as IP address hasn't changed, and time limit hasn't expired.
localstorage is just as vulnerable to being read by JavaScript as cookies are.
localstorage can be read using JavaScript from the same domain, if you control all the JS on the domain, then this shouldn't be a problem. But if any other code is executed (via injection for example, or if you share the domain with someone else), they will be able to access the storage data.
This is the same for cookies however, but typically the cookie is set to HTTPOnly so JavaScript cannot read it.
In either case, plain-text login information shouldn't be stored in either cookies or localstorage anyhow, as if someone does get hold of them, they can continuously make a new session for themselves.
You should encrypt an authenticated identifier (such as their user ID) along with the datetime of the session expiration, and then store this value in either a cookie or local storage. This token is then validated on each server call.
这篇关于将凭据存储在本地存储中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
