For the whole signup process. we need to

  • Hash the password to create a password digest
  • Store the user's info and password digest into db
  • Create a random sessionId to assoc with user
  • Set Session Id into cookie
async function createUserAndSession(res, credentials) {

  // Create a password digest

  const passwordDigest = await argon2.hash(credentials.password);

  // Save into db

  const user = db.createUser(credentials.email, passwordDigest);

  // create random session id

  const sessionId = await randomBytes(32).then(bytes => bytes.toString('hex'));

  // link sessionId with user

  sessionStore.createSession(sessionId, user);

  // set sessionid into cookie

  res.cookie('SESSIONID', sessionId);

  // send back to UI

  res.status(200).json({id: user.id, email: user.email});

}

-----

const util = require('util');

const crypto = require('crypto');

// convert a callback based code to promise based

export const randomBytes = util.promisify(

  crypto.randomBytes

);

-----

import {Session} from './session';

import {User} from '../src/app/model/user';

class SessionStore {

  private sessions: {[key: string]: Session} = {};

  createSession(sessionId: string, user: User) {

    this.sessions[sessionId] = new Session(sessionId, user);

  }

}

// We want only global singleton

export const sessionStore = new SessionStore();

Now we have set the cookie, later, each request we send to the server, this cookie will be attached in the request header, we can confirm that:

But the problem is that, hacker can inject some script to get our cookie by using:

document.cookie

It enables the hacker to attack our site by just set cookie in his broswer, then in each reqest, the cookie will be sent to server, cookie is the only thing which server used to verfiy the user.

document.cookie = "......"

To protect that, we can make cookie can only be accessed by http, not JS:

  // set sessionid into cookie

  res.cookie('SESSIONID', sessionId, {

    httpOnly: true, // js cannot access cookie

  });

We can see that "HTTP" column was marked.

Second, we need to enable https protect.

To do that in server:

  // set sessionid into cookie

  res.cookie('SESSIONID', sessionId, {

    httpOnly: true, // js cannot access cookie

    secure: true // enable https only

  });

We also need to adjust angular cli so that app run on https:

package.json:

"start": "ng serve --proxy-config ./proxy.json --ssl 1 --ssl-key key.pem --ssl-cert cert.pem",
// proxy.json

{

  "/api": {

    "target": "https://localhost:9000",

    "secure": true

  }

}

We can see that "Secure" column now is also marked.

[Angular] Protect The Session Id with https and http only的更多相关文章

  1. ORA-00030: User session ID does not exist.

    同事在Toad里面执行SQL语句时,突然无线网络中断了,让我检查一下具体情况,如下所示(有些信息,用xxx替换,因为是在处理那些历史归档数据,使用的一个特殊用户,所以可以用下面SQL找到对应的会话信息 ...

  2. Infinite loop when using cookieless session ID on Azure

    If you use cookieless session ID and deploy them on Azure, you might get infinite loop when you quer ...

  3. 【转】Session ID/session token 及和cookie区别

    Session + Cookie  知识收集! cookie机制采用的是在客户端保持状态的方案.它是在用户端的会话状态的存贮机制,他需要用户打开客户端的cookie支持.cookie的作用就是为了解决 ...

  4. Session id实现通过Cookie来传输方法及代码参考

    1. Web中的Session指的就是用户在浏览某个网站时,从进入网站到浏览器关闭所经过的这段时间,也就是用户浏览这个网站所花费的时间.因此从上述的定义中我们可以看到,Session实际上是一个特定的 ...

  5. 获得创建临时表的session id

    通过sql server的default trace和tempdb中的sys.objects视图,你能够获得创建临时表的session id,下面是相应的sql语句: DECLARE @FileNam ...

  6. 【从翻译mos文章】正在实施的获取job的 session id

    正在实施的获取job的 session id 参考原始: How to get the session Id of the Running Job (Doc ID 1604966.1) 申请: Ora ...

  7. [解决]Linux Tomcat启动慢--Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [236,325] milliseconds

    一.背景 今天部署项目到tomcat,执行./startup.sh命令之后,访问项目迟迟加载不出来,查看日志又没报错(其实是我粗心了,当时tomcat日志还没打印完),一开始怀疑是阿里云主机出现问题, ...

  8. Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [33,755] milliseconds.

    刚部署好程序,第一次登录时,加载非常得慢,查看log日志发现:Creation of SecureRandom instance for session ID generation using [SH ...

  9. WARNING [main] org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [] milliseconds.

    编译安装tomcat-native和tomcat-deamon以后,发现toomcat启动很慢,好久才有响应.以下日志供参考: 11-Sep-2017 12:19:28.102 INFO [main] ...

随机推荐

  1. JS — 对象的基本操作

    JS面向对象系列教程 — 对象的基本操作 面向对象概述  面向对象(Object Oriented)简称OO,它是一种编程思维,用于指导我们如何应对各种复杂的开发场景. 这里说的对象(Object) ...

  2. Scrapy 框架介绍

    Scrapy 框架 Scrapy,Python开发的一个快速.高层次的屏幕抓取和web抓取框架,用于抓取web站点并从页面中提取结构化的数据.Scrapy用途广泛,可以用于数据挖掘.监测和自动化测试. ...

  3. U-BOOT概述及源码分析(一)

    嵌入式Linux系统从软件角度通常可以分为以下4个层次: 引导加载程序 | Linux内核 | 文件系统 | 用户应用程序 嵌入式Linux系统中典型分区结构: 正常启动过程中,Bootloader首 ...

  4. 紫书 习题 10-44 UVa 11246 ( 容斥原理)

    把k的倍数的删去(k, 2k, 3k--),但是k^2不应该删去,因为k已经删去,所以不存在某个数乘上k之后为k^2 所以k^2可以留下,然后因为有k^2,所以k^3就是k^2的k倍,所以k^3要删去 ...

  5. 手把手教你用vue-cli构建一个简单的路由应用

    上一章说道:十分钟上手-搭建vue开发环境(新手教程)https://www.jianshu.com/p/0c6678671635 开发环境搭建好之后,那么开始新添加一些页面,构建最基本的vue项目, ...

  6. Qt源码编译

    Qt源码编译 eryar@163.com Key words. Qt, 源码编译 1.Introduction 随着Qt版本升级,源码编译出来的库体积越来越大.如果只是用Qt来做GUI,Qt提供的预编 ...

  7. 如何才能正确的关闭Socket连接

    从TCP协议角度来看,一个已建立的TCP连接有两种关闭方式,一种是正常关闭,即四次挥手关闭连接:还有一种则是异常关闭,我们通常称之为连接重置(RESET).首先说一下正常关闭时四次挥手的状态变迁,关闭 ...

  8. [React Native] Animate the Scale of a React Native Button using Animated.spring

    In this lesson we will use Animated.spring and TouchableWithoutFeedback to animate the scale of a bu ...

  9. 使用 Bluemix™ Live Sync 高速更新 Bluemix 上执行的应用程序实例

    假设您要构建 Node.js 应用程序,那么能够使用 IBM® Bluemix® Live Sync 高速更新 Bluemix 上的应用程序实例,并像在桌面上进行操作一样进行开发,而无需又一次部署.执 ...

  10. 通过wireshark,以及python代码收发邮件,了解smtp协议,pop协议工作过程

    40返回连接server成功 41.43发送ehlo命令查询server支持命令 返回250 44.46请求认证  server响应235认证成功 47.49发送mail命令发送者邮箱  返回250 ...