Would it be possible to save session user data in SessionStorage?

4

Is saving user data in SessionStorage a good option? For example, the user enters the login and password I authenticate in back-end and return the entire object, then store that user in SessionStorage .

I'm a bit afraid to do this because the password and login are visible. If it is not a good option what would be the options to store the user?

    
asked by anonymous 23.02.2016 / 15:45

2 answers

3

Techies, I do not think it's legal to store the User's decrypted Password, either on your Database server or User's Browser.

So I think there's more to be rethought here, first let's think about back-end , you should encrypt the password using some unreachable algorithm, for example PBKDF2 + SHA256 , Blowfish or BCrypt , you possibly should find implementations over the internet.

Then the user to authenticate would send the user and password, the server would encrypt the password and compare it with the encrypted password in the bank, if it succeeded, the server would return an Access Token and not the password. p>

Here is an example of a 128-byte Token Generation:

var tamanho = 8;
var index = -16;
var token = new byte[16 * tamanho];
for (var indice = 0; indice < tamanho ; indice++) {
    Guid.NewGuid().ToByteArray().CopyTo(token, index += 16);
}
Console.WriteLine("Exemplo: " + Convert.ToBase64String(token));

//Exemplo: bopofs47dU6dt98TR8NULgqDQ6gOwb5LlUyJV36HO83sOatKfGjpSLuS6y0jOMJUOEv9pM5Roky3I0rlxfjB3CSrCCqVkfRKjolgL5lIFD/Gy37tjU3uR74iCZSZceiwhhUnIM3Mr0qWUjwqAThB6jupiPLbkiJKmeL1lZtM7vo=

You could store this Token in your Database, as well as additional information ... Access Date, IP, Machine Name, etc ... as well as an Expiration Date (Absolute or Relative). >

Now we have the dilemma of where to store this Token , the problem with SessionStorage is that it is unique to Tab of the Browser, so if the user opens a new tab, he will have to authenticate again. so your choice here would be LocalStorage , IndexedDB and / or Cookies ... to store a token, I do not see any problems using any one of them ... I would particularly use IndexedDB.

The Client would only need to send this Access Token, from which you will be able to identify the user.

    
23.02.2016 / 17:04
1

Techies,

I use the localStorage and it works great.

The architecture I use works like this:

Authentic user > API returns token > Stores token in localStorage.

Each new request has a non-angular interceptor that validates whether the token is in the url (if it comes from an external application) or is in the localStorage.

If it exists, add it to the request header.

Finally, to verify that the token is valid, in the backend I added a middleware that does this check. Ex:

  exports.isAuthenticated = function (token) {
  try {
    return jwt.verify(token, config.secrets);
  } catch(err) {
    throw new TokenError(err.message);
  }
};
    
23.02.2016 / 18:52