For the whole signup process. we need to

  • Hash the password to create a password digest
  • Store the user's info and password digest into db
  • Create a random sessionId to assoc with user
  • Set Session Id into cookie
async function createUserAndSession(res, credentials) {
// Create a password digest
const passwordDigest = await argon2.hash(credentials.password);
// Save into db
const user = db.createUser(credentials.email, passwordDigest);
// create random session id
const sessionId = await randomBytes(32).then(bytes => bytes.toString('hex'));
// link sessionId with user
sessionStore.createSession(sessionId, user);
// set sessionid into cookie
res.cookie('SESSIONID', sessionId);
// send back to UI
res.status(200).json({id: user.id, email: user.email});
} ----- const util = require('util');
const crypto = require('crypto'); // convert a callback based code to promise based
export const randomBytes = util.promisify(
crypto.randomBytes
); ----- import {Session} from './session';
import {User} from '../src/app/model/user';
class SessionStore {
private sessions: {[key: string]: Session} = {}; createSession(sessionId: string, user: User) {
this.sessions[sessionId] = new Session(sessionId, user);
}
} // We want only global singleton
export const sessionStore = new SessionStore();

Now we have set the cookie, later, each request we send to the server, this cookie will be attached in the request header, we can confirm that:

But the problem is that, hacker can inject some script to get our cookie by using:

document.cookie

It enables the hacker to attack our site by just set cookie in his broswer, then in each reqest, the cookie will be sent to server, cookie is the only thing which server used to verfiy the user.

document.cookie = "......"

To protect that, we can make cookie can only be accessed by http, not JS:

  // set sessionid into cookie
res.cookie('SESSIONID', sessionId, {
httpOnly: true, // js cannot access cookie
});

We can see that "HTTP" column was marked.

Second, we need to enable https protect.

To do that in server:

  // set sessionid into cookie
res.cookie('SESSIONID', sessionId, {
httpOnly: true, // js cannot access cookie
secure: true // enable https only
});

We also need to adjust angular cli so that app run on https:

package.json:

"start": "ng serve --proxy-config ./proxy.json --ssl 1 --ssl-key key.pem --ssl-cert cert.pem",
// proxy.json

{
"/api": {
"target": "https://localhost:9000",
"secure": true
}
}

We can see that "Secure" column now is also marked.

[Angular] Protect The Session Id with https and http only的更多相关文章

  1. ORA-00030: User session ID does not exist.

    同事在Toad里面执行SQL语句时,突然无线网络中断了,让我检查一下具体情况,如下所示(有些信息,用xxx替换,因为是在处理那些历史归档数据,使用的一个特殊用户,所以可以用下面SQL找到对应的会话信息 ...

  2. Infinite loop when using cookieless session ID on Azure

    If you use cookieless session ID and deploy them on Azure, you might get infinite loop when you quer ...

  3. 【转】Session ID/session token 及和cookie区别

    Session + Cookie  知识收集! cookie机制采用的是在客户端保持状态的方案.它是在用户端的会话状态的存贮机制,他需要用户打开客户端的cookie支持.cookie的作用就是为了解决 ...

  4. Session id实现通过Cookie来传输方法及代码参考

    1. Web中的Session指的就是用户在浏览某个网站时,从进入网站到浏览器关闭所经过的这段时间,也就是用户浏览这个网站所花费的时间.因此从上述的定义中我们可以看到,Session实际上是一个特定的 ...

  5. 获得创建临时表的session id

    通过sql server的default trace和tempdb中的sys.objects视图,你能够获得创建临时表的session id,下面是相应的sql语句: DECLARE @FileNam ...

  6. 【从翻译mos文章】正在实施的获取job的 session id

    正在实施的获取job的 session id 参考原始: How to get the session Id of the Running Job (Doc ID 1604966.1) 申请: Ora ...

  7. [解决]Linux Tomcat启动慢--Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [236,325] milliseconds

    一.背景 今天部署项目到tomcat,执行./startup.sh命令之后,访问项目迟迟加载不出来,查看日志又没报错(其实是我粗心了,当时tomcat日志还没打印完),一开始怀疑是阿里云主机出现问题, ...

  8. Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [33,755] milliseconds.

    刚部署好程序,第一次登录时,加载非常得慢,查看log日志发现:Creation of SecureRandom instance for session ID generation using [SH ...

  9. WARNING [main] org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [] milliseconds.

    编译安装tomcat-native和tomcat-deamon以后,发现toomcat启动很慢,好久才有响应.以下日志供参考: 11-Sep-2017 12:19:28.102 INFO [main] ...

随机推荐

  1. tensorflow学习之路---Session、Variable(变量)和placeholder

    ---恢复内容开始--- 1.Session '''Session.run():首先里面的参数是一个API(函数的接口)的返回值或者是指定参数的值:功能:得知运算结果有两种访问方式:直接建立或者运用w ...

  2. js中由undefined说起

    typeof()函数 返回的是字符串.有六种可能:"number"."string"."boolean"."object" ...

  3. JAVA学习第五十四课 — IO流(八)打印流 & 序列流

    一.综合练习-文件清单列表 获取指定文件夹下,指定扩展名的文件(含子文件夹),并将这些文件的绝对路径写到一个文本文件里.也就是建立一个指定扩展名的文件列表 1.深度遍历 2.过滤器->容器 3. ...

  4. dlmalloc 2.8.6 源代码具体解释(5)

    本文章由vector03原创, 转载请注明出处. 邮箱地址: mmzsmm@163.com, 欢迎来信讨论.     3. 分配及实现 本章节介绍dlmalloc的分配算法和实现.由于存在多mspac ...

  5. android-开发环境相关概念

    Android中IDE.ADT.SDK.JDK.NDK的解释 1. IDE: Intelligent Development Environm的简称.即智能开发环境.是一种开发工具.常用的IDE有ad ...

  6. 用C#调用Lua脚本

    用C#调用Lua脚本 一.引言 学习Redis也有一段时间了,感触还是颇多的,但是自己很清楚,路还很长,还要继续.上一篇文章简要的介绍了如何在Linux环境下安装Lua,并介绍了在Linux环境下如何 ...

  7. POJ 2458 DFS+判重

    题意: 思路: 搜+判重 嗯搞定 (听说有好多人用7个for写得-.) //By SiriusRen #include <bitset> #include <cstdio>0 ...

  8. IBM Tivoli Netview在企业网络管理中的实践(附视频)

    今天我为大家介绍的一款高端网管软件名叫IBM Tivoli NetView,他主要关注是IBM整理解决方案的用户,分为Unix平台和Windwos平台两种,这里视频演示的是基于Windows 2003 ...

  9. js中的组合模式

    <!doctype html> <html lang="en"> <head> <meta charset="UTF-8&quo ...

  10. jQuery插件--根据数据加载的进度动画案例

    css: *{ margin:; padding:; } @media screen and (min-width:320px){ html{font-size:12px;}} @media scre ...