Techies, I do not think it's legal to store the User's decrypted Password, either on your Database server or User's Browser.
So I think there's more to be rethought here, first let's think about
back-end
, you should encrypt the password using some unreachable algorithm, for example
PBKDF2 + SHA256
,
Blowfish
or
BCrypt
, you possibly should find implementations over the internet.
Then the user to authenticate would send the user and password, the server would encrypt the password and compare it with the encrypted password in the bank, if it succeeded, the server would return an Access Token and not the password. p>
Here is an example of a 128-byte Token Generation:
var tamanho = 8;
var index = -16;
var token = new byte[16 * tamanho];
for (var indice = 0; indice < tamanho ; indice++) {
Guid.NewGuid().ToByteArray().CopyTo(token, index += 16);
}
Console.WriteLine("Exemplo: " + Convert.ToBase64String(token));
//Exemplo: bopofs47dU6dt98TR8NULgqDQ6gOwb5LlUyJV36HO83sOatKfGjpSLuS6y0jOMJUOEv9pM5Roky3I0rlxfjB3CSrCCqVkfRKjolgL5lIFD/Gy37tjU3uR74iCZSZceiwhhUnIM3Mr0qWUjwqAThB6jupiPLbkiJKmeL1lZtM7vo=
You could store this Token in your Database, as well as additional information ... Access Date, IP, Machine Name, etc ... as well as an Expiration Date (Absolute or Relative). >
Now we have the dilemma of where to store this Token
, the problem with SessionStorage
is that it is unique to Tab
of the Browser, so if the user opens a new tab, he will have to authenticate again. so your choice here would be LocalStorage
, IndexedDB
and / or Cookies
... to store a token, I do not see any problems using any one of them ... I would particularly use IndexedDB.
The Client would only need to send this Access Token, from which you will be able to identify the user.