[Angular] Protect The Session Id with https and http only
2017-08-29 16:46
585 查看
For the whole signup process. we need to
Hash the password to create a password digest
Store the user's info and password digest into db
Create a random sessionId to assoc with user
Set Session Id into cookie
Now we have set the cookie, later, each request we send to the server, this cookie will be attached in the request header, we can confirm that:
But the problem is that, hacker can inject some script to get our cookie by using:
It enables the hacker to attack our site by just set cookie in his broswer, then in each reqest, the cookie will be sent to server, cookie is the only thing which server used to verfiy the user.
To protect that, we can make cookie can only be accessed by http, not JS:
We can see that "HTTP" column was marked.
Second, we need to enable https protect.
To do that in server:
We also need to adjust angular cli so that app run on https:
package.json:
We can see that "Secure" column now is also marked.
Hash the password to create a password digest
Store the user's info and password digest into db
Create a random sessionId to assoc with user
Set Session Id into cookie
async function createUserAndSession(res, credentials) { // Create a password digest const passwordDigest = await argon2.hash(credentials.password); // Save into db const user = db.createUser(credentials.email, passwordDigest); // create random session id const sessionId = await randomBytes(32).then(bytes => bytes.toString('hex')); // link sessionId with user sessionStore.createSession(sessionId, user); // set sessionid into cookie res.cookie('SESSIONID', sessionId); // send back to UI res.status(200).json({id: user.id, email: user.email}); } ----- const util = require('util'); const crypto = require('crypto'); // convert a callback based code to promise based export const randomBytes = util.promisify( crypto.randomBytes ); ----- import {Session} from './session'; import {User} from '../src/app/model/user'; class SessionStore { private sessions: {[key: string]: Session} = {}; createSession(sessionId: string, user: User) { this.sessions[sessionId] = new Session(sessionId, user); } } // We want only global singleton export const sessionStore = new SessionStore();
Now we have set the cookie, later, each request we send to the server, this cookie will be attached in the request header, we can confirm that:
But the problem is that, hacker can inject some script to get our cookie by using:
document.cookie
It enables the hacker to attack our site by just set cookie in his broswer, then in each reqest, the cookie will be sent to server, cookie is the only thing which server used to verfiy the user.
document.cookie = "......"
To protect that, we can make cookie can only be accessed by http, not JS:
// set sessionid into cookie res.cookie('SESSIONID', sessionId, { httpOnly: true, // js cannot access cookie });
We can see that "HTTP" column was marked.
Second, we need to enable https protect.
To do that in server:
// set sessionid into cookie res.cookie('SESSIONID', sessionId, { httpOnly: true, // js cannot access cookie secure: true // enable https only });
We also need to adjust angular cli so that app run on https:
package.json:
"start": "ng serve --proxy-config ./proxy.json --ssl 1 --ssl-key key.pem --ssl-cert cert.pem",
// proxy.json { "/api": { "target": "https://localhost:9000", "secure": true } }
We can see that "Secure" column now is also marked.
相关文章推荐
- SCRIPT - to Set the 'SESSION_CACHED_CURSORS' and 'OPEN_CURSORS' Parameters(文档 ID 208857.1)
- walk around by The provided App differs from another App with the same version and product ID
- How to configure XDB for using ftp and http protocols with ASM [ID 357714.1]
- Limit the textbox only can be inputed with number and paste no more than 9 chars
- 去除asp.net 2.0的会话cookie ASP.NET_SessionId 的httponly属性
- There is not a header with name ServiceContext and namespace http://schemas.microsoft.com/sharepoint/servicecontext in the messa
- The only supported ciphers are AES-128-CBC and AES-256-CBC with the correct key lengths.
- 初步了解Angular 2端到端的测试 Introduction to E2E Testing with the Angular CLI and Protractor
- Tomcat7新特性?cookie HttpOnly的那些事(sessionid获取麻烦了)
- Laravel 出现"RuntimeException inEncrypter.php line 43: The only supported ciphers are AES-128-CBC and AES-256-CBC with the correct key lengths."问题的解决办法
- When starting a Java debug session with Team Debug enabled, you may receive the following error and
- It will cause a new session when you use lazy loading collection, and the collection will assicated with the new session and the
- Send MSMQ Messages Securely Across the Internet with HTTP and SOAP
- HttpQuery httpClient with cookie sessionID
- How to configure XDB for using ftp and http protocols with ASM [ID 357714.1]
- What is the Difference Between http and https?
- [Angular 2] Rendering an Observable Date with the Async and Date Pipes
- Using shiro's native and the default http session
- Cannot connect to WMI provider.You do not have permission or the server is unreachable.Note that you can only manager SQL Server 2005 and later version with SQL Server Configuration Manager.Invalid namespace [0x8004100e]
- ORA-600 [KFDAUDEALLOC2] AND INSTANCE CRASH EVEN WITH THE FIX OF BUG 14467061 (文档 ID 1903273.1)