客户可以修改localStorage吗? [英] Can localStorage be modified by a client?
问题描述
我尝试使用localStorage作为cookie替代品(厌恶cookies),以便用户可以在我运营的网站上保持登录状态。
我到目前为止的计划将用户的用户名保存在localStorage中,并让该站点检查localStorage中是否存在任何内容,如果localStorage中有任何 ,它会通过POST将localStorage数据推送到PHP文件并推送用户启动一个新的PHP会话并将它们返回到它们所在的位置。
尽管我担心,但我知道localStorage可以被查看,在这种情况下可能会加密数据服务器端会有所帮助。
但LocalStorage数据可以被修改吗?如果不是这样,即使没有加密也可以,但显然如果用户可以修改localStorage数据,他们可以访问其他人的账户,这可以想像,这不是一件好事。
我有疑问,因为JavaScript可以由浏览器中的客户端执行,即:
的javascript:警报( 你好);
找不到localStorage的var名称并重置它的值吗? / p>
javascript:localStorage.setItem('sessionusername','superadmin');
基本上,我问:HTML5本地存储数据可以在客户端修改吗?
干杯,
Karan:
本地存储绑定到域,所以在通常情况下,用户不能在任何其他域或本地主机上更改它。
它也绑定到每个用户/浏览器,即没有第三方访问本地存储。
然而,本地存储最终是用户文件系统中的文件,可能会被黑客入侵。
I'm attempting to use localStorage as a cookie replacement (detest cookies) so users can stay signed in on a site I operate.
What I planned so far was to save the user's username in localStorage, and have the site check whether anything was in localStorage, and if anything is in localStorage, it'd push the localStorage data to a PHP file via POST and push the user to start a new PHP session and return them back to where they were.
Though I have the concern, I know localStorage can be viewed, in which case possibly encrypting the data server-side would make some sense.
But can LocalStorage data be modified? If not, this would be fine to do, even without encryption, but obviously if a user could modify the localStorage data, they would have access to others' accounts, which as you can imagine, isn't a good thing.
I had the doubt because JavaScript can be executed by a client in a browser, ie:
javascript:alert("hello");
Couldn't it be possible to find out the localStorage's var name and reset it's value like this?
javascript:localStorage.setItem('sessionusername','superadmin');
Basically, I ask: Can HTML5 Local Storage data be modified on client side?
Cheers, Karan :)
Local storage is bound to the domain, so in regular case the user cannot change it on any other domain or on localhost.
It is also bound per user/browser, i.e. no third party has access to ones local storage.
Nevertheless local storage is in the end a file on the user's file system and may be hacked.
这篇关于客户可以修改localStorage吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
