科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>javascript - How to implement secure "Remember me" - Stack Overflow

    javascript - How to implement secure "Remember me" - Stack Overflow

    programmeradmin7浏览0评论

    I am trying to figure out how to implement "Remember me" into an app that I am working on. Currently my implementation looks like this.

    1. User Signs in and requests to be remembered
    2. Server validates user with email/password
    3. If validation is successful, I generate a JSON web token using the user's email and a secret key stored on the server.
    4. The token is then sent as a cookie back to the client. But at the same time the token is hashed using bcrypt and store in the user's information in the database.
    5. Now, when the user visits the page later, the cookie is sent to the server when the page is loaded and validated against the stored hash in the database.

    To me this "seems" secure because the token essentially bees the user's password and treated accordingly on the server side. However, I'm not sure if this is actually secure or if there is something I am missing.

    I am trying to figure out how to implement "Remember me" into an app that I am working on. Currently my implementation looks like this.

    1. User Signs in and requests to be remembered
    2. Server validates user with email/password
    3. If validation is successful, I generate a JSON web token using the user's email and a secret key stored on the server.
    4. The token is then sent as a cookie back to the client. But at the same time the token is hashed using bcrypt and store in the user's information in the database.
    5. Now, when the user visits the page later, the cookie is sent to the server when the page is loaded and validated against the stored hash in the database.

    To me this "seems" secure because the token essentially bees the user's password and treated accordingly on the server side. However, I'm not sure if this is actually secure or if there is something I am missing.

    • javascript
    • reactjs
    • security
    • jwt
    • bcrypt
    Share Improve this question asked Feb 14, 2018 at 17:22 Matt GileneMatt Gilene 931 gold badge1 silver badge4 bronze badges 1
    • One problem I see is that someone could copy the cookie value to another puter and log in as that user. To solve this, you could use something secret about the user in the encryption algorithm-- perhaps their password? – Feathercrown Commented Feb 14, 2018 at 17:26
    Add a ment  | 

    1 Answer 1

    Reset to default 3

    Instead of cookies you can use HTML5 Web Storage API. It is much more secure and is supported by all the modern browsers(IE8+).

    LocalStorage is a nice interface around Web Storage API. It is a form of client persistent storage without any expiry(until the user clears it) or the developer does it from JavaScript.

    You can further study this answer difference between Cookie and LocalStorage.

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论