Angular 本地存储值显示为纯文本
Angular localstorage value visible as Plain text
我创建了一个 Angular 网站,我在其中使用本地存储来存储数据,以便我可以在访问某些页面之前检查用户是否已登录。我像这样将用户名存储在本地存储中。
localStorage.setItem('username', this.username);
问题是我在发布后检查了我的网站。存储在 localstorage 中的值在 Inspect Section 的 Application 选项卡中以纯文本形式显示。
那么,是否有一些解决方法可以防止这种情况发生。如果没有,你能建议任何其他简单的方法来检查用户是否登录。
对于 Web 应用程序身份验证,最佳做法是使用 JWT 生成 token 并将 username 放入 hashed 中且不可见的令牌中.因此,您将 token 设置为 localStorage。虽然,有许多安全方式而不是 localstorage 例如 httpOnly.
If you need to store sensitive data, here's how to do it:
When a user logs into your website, create a session identifier for them and store it in a cryptographically signed cookie. If you're
using a web framework, look up “how to create a user session using
cookies” and follow that guide.
Make sure that whatever cookie library your web framework uses is setting the httpOnly cookie flag. This flag makes it impossible for a
browser to read any cookies, which is required in order to safely use
server-side sessions with cookies. Read Jeff Atwood's article for
more information. He's the man.
Make sure that your cookie library also sets the SameSite=strict cookie flag (to prevent CSRF attacks), as well as the secure=true
flag (to ensure cookies can only be set over an encrypted
connection).
Each time a user makes a request to your site, use their session ID (extracted from the cookie they send to you) to retrieve their
account details from either a database or a cache (depending on how
large your website is)
Once you have the user's account info pulled up and verified, feel free to pull any associated sensitive data along with it
有关详细信息,请阅读本文:
Please Stop Using Local Storage
你的实现是完全错误的。如果要将数据存储在本地存储中,则必须使用 JWT。这意味着你应该 post 后端的用户名和密码,他们使用库将用户名和密码更改为它们的加密格式。然后他们return值,经过这些程序,你可以将数据存储在本地存储中,值是一些无意义的字符。
如果您想了解更多关于 JWT 的信息,可以访问 here。
希望对你有用。
我创建了一个 Angular 网站,我在其中使用本地存储来存储数据,以便我可以在访问某些页面之前检查用户是否已登录。我像这样将用户名存储在本地存储中。
localStorage.setItem('username', this.username);
问题是我在发布后检查了我的网站。存储在 localstorage 中的值在 Inspect Section 的 Application 选项卡中以纯文本形式显示。
那么,是否有一些解决方法可以防止这种情况发生。如果没有,你能建议任何其他简单的方法来检查用户是否登录。
对于 Web 应用程序身份验证,最佳做法是使用 JWT 生成 token 并将 username 放入 hashed 中且不可见的令牌中.因此,您将 token 设置为 localStorage。虽然,有许多安全方式而不是 localstorage 例如 httpOnly.
If you need to store sensitive data, here's how to do it:
When a user logs into your website, create a session identifier for them and store it in a cryptographically signed cookie. If you're
using a web framework, look up “how to create a user session using
cookies” and follow that guide.Make sure that whatever cookie library your web framework uses is setting the httpOnly cookie flag. This flag makes it impossible for a browser to read any cookies, which is required in order to safely use server-side sessions with cookies. Read Jeff Atwood's article for
more information. He's the man.Make sure that your cookie library also sets the SameSite=strict cookie flag (to prevent CSRF attacks), as well as the secure=true
flag (to ensure cookies can only be set over an encrypted
connection).Each time a user makes a request to your site, use their session ID (extracted from the cookie they send to you) to retrieve their
account details from either a database or a cache (depending on how
large your website is)Once you have the user's account info pulled up and verified, feel free to pull any associated sensitive data along with it
有关详细信息,请阅读本文: Please Stop Using Local Storage
你的实现是完全错误的。如果要将数据存储在本地存储中,则必须使用 JWT。这意味着你应该 post 后端的用户名和密码,他们使用库将用户名和密码更改为它们的加密格式。然后他们return值,经过这些程序,你可以将数据存储在本地存储中,值是一些无意义的字符。
如果您想了解更多关于 JWT 的信息,可以访问 here。
希望对你有用。