使用Firebase进行会话管理？ [英] Session management with Firebase?

问题描述

我正在使用Firebase构建一个基本的Web应用程序，需要进行身份验证和会话处理。仔细阅读Firebase Auth的文档，我决定使用电子邮件/密码选项通过Facebook登录。

登录成功后，我们得到一个令牌在使用 auth（）时，在页面刷新时或在新选项卡上再次使用。但是，为此，我们需要将令牌保存在客户端的某个地方。阅读 Firefeed的源代码，它实现了auth和会话处理中，标记保存在用户浏览器的 localStorage 中。

这种方法有多安全？因为使用浏览器的任何人都可以看到 localStorage 数据。有没有更好的选择呢？简单登录返回的令牌是用户特定的时间限制的令牌。如果受到威胁，他们将在最坏情况下允许攻击者在有限的时间内冒充该用户。它们不包含用户的密码或其他敏感数据。

localstorage只能由保存其的主机域上的Javascript访问，所以您访问的其他站点有没有访问它（假设浏览器或您的网站没有被入侵，但如果他们有，所有的赌注都关闭...）

所以，简短的回答，这种做法相当安全。

I am building a basic webapp using Firebase that requires authentication and session handling. Going over the docs for Firebase Auth, I decided to use the email/password option over the Facebook login.

Upon successful login, we get a token that could be used again for logging in when the page refreshes or on a new tab using auth(). But, for that we would need to save the token somewhere on the client side. Going through the source code for Firefeed which implements auth and session handling, the token is saved in the localStorage of the user's browser.

How secure is this approach? Since localStorage data would be visible to anyone using the browser. Is there any better alternative to this?

解决方案

The tokens returned by the Simple Login are time-bound, user-specific tokens. If compromised, they will at worst allow an attacker to impersonate that user for a limited period of time. They do not contain the user's password or other sensitive data.

localstorage can only be accessed by Javascript on the host domain from which it was saved, so other sites you visit will have no access to it (assuming the browser or your site haven't been compromised, but if they have, all bets are off...)

So, short answer, this approach is quite secure.

这篇关于使用Firebase进行会话管理？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！