For the whole signup process. we need to

  • Hash the password to create a password digest
  • Store the user's info and password digest into db
  • Create a random sessionId to assoc with user
  • Set Session Id into cookie
async function createUserAndSession(res, credentials) {

  // Create a password digest

  const passwordDigest = await argon2.hash(credentials.password);

  // Save into db

  const user = db.createUser(credentials.email, passwordDigest);

  // create random session id

  const sessionId = await randomBytes(32).then(bytes => bytes.toString('hex'));

  // link sessionId with user

  sessionStore.createSession(sessionId, user);

  // set sessionid into cookie

  res.cookie('SESSIONID', sessionId);

  // send back to UI

  res.status(200).json({id: user.id, email: user.email});

}

-----

const util = require('util');

const crypto = require('crypto');

// convert a callback based code to promise based

export const randomBytes = util.promisify(

  crypto.randomBytes

);

-----

import {Session} from './session';

import {User} from '../src/app/model/user';

class SessionStore {

  private sessions: {[key: string]: Session} = {};

  createSession(sessionId: string, user: User) {

    this.sessions[sessionId] = new Session(sessionId, user);

  }

}

// We want only global singleton

export const sessionStore = new SessionStore();

Now we have set the cookie, later, each request we send to the server, this cookie will be attached in the request header, we can confirm that:

But the problem is that, hacker can inject some script to get our cookie by using:

document.cookie

It enables the hacker to attack our site by just set cookie in his broswer, then in each reqest, the cookie will be sent to server, cookie is the only thing which server used to verfiy the user.

document.cookie = "......"

To protect that, we can make cookie can only be accessed by http, not JS:

  // set sessionid into cookie

  res.cookie('SESSIONID', sessionId, {

    httpOnly: true, // js cannot access cookie

  });

We can see that "HTTP" column was marked.

Second, we need to enable https protect.

To do that in server:

  // set sessionid into cookie

  res.cookie('SESSIONID', sessionId, {

    httpOnly: true, // js cannot access cookie

    secure: true // enable https only

  });

We also need to adjust angular cli so that app run on https:

package.json:

"start": "ng serve --proxy-config ./proxy.json --ssl 1 --ssl-key key.pem --ssl-cert cert.pem",
// proxy.json

{

  "/api": {

    "target": "https://localhost:9000",

    "secure": true

  }

}

We can see that "Secure" column now is also marked.

[Angular] Protect The Session Id with https and http only的更多相关文章

  1. ORA-00030: User session ID does not exist.

    同事在Toad里面执行SQL语句时,突然无线网络中断了,让我检查一下具体情况,如下所示(有些信息,用xxx替换,因为是在处理那些历史归档数据,使用的一个特殊用户,所以可以用下面SQL找到对应的会话信息 ...

  2. Infinite loop when using cookieless session ID on Azure

    If you use cookieless session ID and deploy them on Azure, you might get infinite loop when you quer ...

  3. 【转】Session ID/session token 及和cookie区别

    Session + Cookie  知识收集! cookie机制采用的是在客户端保持状态的方案.它是在用户端的会话状态的存贮机制,他需要用户打开客户端的cookie支持.cookie的作用就是为了解决 ...

  4. Session id实现通过Cookie来传输方法及代码参考

    1. Web中的Session指的就是用户在浏览某个网站时,从进入网站到浏览器关闭所经过的这段时间,也就是用户浏览这个网站所花费的时间.因此从上述的定义中我们可以看到,Session实际上是一个特定的 ...

  5. 获得创建临时表的session id

    通过sql server的default trace和tempdb中的sys.objects视图,你能够获得创建临时表的session id,下面是相应的sql语句: DECLARE @FileNam ...

  6. 【从翻译mos文章】正在实施的获取job的 session id

    正在实施的获取job的 session id 参考原始: How to get the session Id of the Running Job (Doc ID 1604966.1) 申请: Ora ...

  7. [解决]Linux Tomcat启动慢--Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [236,325] milliseconds

    一.背景 今天部署项目到tomcat,执行./startup.sh命令之后,访问项目迟迟加载不出来,查看日志又没报错(其实是我粗心了,当时tomcat日志还没打印完),一开始怀疑是阿里云主机出现问题, ...

  8. Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [33,755] milliseconds.

    刚部署好程序,第一次登录时,加载非常得慢,查看log日志发现:Creation of SecureRandom instance for session ID generation using [SH ...

  9. WARNING [main] org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [] milliseconds.

    编译安装tomcat-native和tomcat-deamon以后,发现toomcat启动很慢,好久才有响应.以下日志供参考: 11-Sep-2017 12:19:28.102 INFO [main] ...

随机推荐

  1. Hexo Daemon

    前提 今天中午的时候发现自已网站突然不能访问了,我猜肯定是后台的hexo服务异常自动kill掉了.果然登录服务器ps -ef | grep hexo查看进程,果然发现hexo的进程不在了.由于我将输出 ...

  2. 【Codeforces Round #459 (Div. 2) D】MADMAX

    [链接] 我是链接,点我呀:) [题意] 在这里输入题意 [题解] f[x][y][z][2] 表示第一个人到了点x,第二个人到了点y,当前轮的字母(1..26),当前轮到谁走的情况下,谁赢. 写个记 ...

  3. cogs 1396. wwww

    1396. wwww ☆   输入文件:wwww.in   输出文件:wwww.out   简单对比时间限制:1 s   内存限制:256 MB [题目描述] 对于一个递归函数w(a,b,c) 如果 ...

  4. C#与Linux守护进程

    用C#编写Linux守护进程   如果要在Red Hat Enterprise Linux上将.NET Core进程作为后台进程运行,则可以创建自定义systemd单元.今天我将为.NET Core编 ...

  5. windows下go语言环境

    1  liteIDE ,随便装哪儿都行 2  GO语言包 安装  ,我安装到了 c:\go  (顺便给个地址下载地址  https://golang.org/dl/  ) 3  GCC编译器 安装,同 ...

  6. BZOJ3994: [SDOI2015]约数个数和(莫比乌斯反演)

    Description  设d(x)为x的约数个数,给定N.M,求     Input 输入文件包含多组测试数据. 第一行,一个整数T,表示测试数据的组数. 接下来的T行,每行两个整数N.M. Out ...

  7. 洛谷 P3505 [POI2010]TEL-Teleportation

    P3505 [POI2010]TEL-Teleportation 题目描述 King Byteasar is the ruler of the whole solar system that cont ...

  8. PA模块经常使用表

    SELECT * FROM pa_projects_all; --项目 SELECT * FROM pa_project_types; --项目类型 SELECT * FROM pa_project_ ...

  9. NB大了,增强现实走进安防行业了!竟然还有智能家居的规划!

     增强现实系统故事性功能解说 作者:李欢   工号:2288  电话:18938902295 邮箱:lihuan@gosuncn.com 前言: 本文仅适用于2014北京安防展,增强现实展区人员学 ...

  10. 《iOS Human Interface Guidelines》——Container View Controller

    容器视图控制器 容器视图控制器管理和展示它的子视图集合--或者子控制器集合--以一种自己定义的方式. 系统定义的容器视图控制器的样例有标签栏视图控制器.导航栏视图控制器和分栏视图控制器(查看Tab B ...