Would it be feasible to save session user data in Sessionstorage?

Asked

Viewed 1,327 times

5

Save user data to SessionStorage is a good option? For example, the user enters with the login and password I do the authentication on back-end and return the entire object, then store that user in the SessionStorage.

I am a little afraid to do this process that way because the password and login are visible. If it is not a good option what would be the options to store the user?

  • 1

    The question is, why is the password included in the returned object? This makes no sense and is totally insecure, very!

  • 1

    As a rule never store credentials (encrypted or not) in the client.

2 answers

4


Techies, I don’t think it’s legal to store the decrypted User Password, either on your Database server or in the User Browser.

So I believe there’s more to be rethought here, first let’s think about back-end, you should encrypt the password using some irrevocable algorithm, for example PBKDF2 + SHA256, Blowfish or BCrypt, you possibly should find implementations over the internet.

Then the User to authenticate would send the user and password, the server would encrypt the password and compare it with the encrypted password in the bank, if successful, the server would return an Access Token and not the password.

Follow an example of 128-byte Token generation:

var tamanho = 8;
var index = -16;
var token = new byte[16 * tamanho];
for (var indice = 0; indice < tamanho ; indice++) {
    Guid.NewGuid().ToByteArray().CopyTo(token, index += 16);
}
Console.WriteLine("Exemplo: " + Convert.ToBase64String(token));

//Exemplo: bopofs47dU6dt98TR8NULgqDQ6gOwb5LlUyJV36HO83sOatKfGjpSLuS6y0jOMJUOEv9pM5Roky3I0rlxfjB3CSrCCqVkfRKjolgL5lIFD/Gy37tjU3uR74iCZSZceiwhhUnIM3Mr0qWUjwqAThB6jupiPLbkiJKmeL1lZtM7vo=

You could store this Token in your Database as well as additional information... Access Date, IP, Host Name, etc... as well as an Expiration Date (Absolute or Relative).

Now we have the dilemma of where to store this Token, the problem of SessionStorage is that he is unique by Tab browser, so if the user opens a new tab, he will have to authenticate again. then his option here would be the LocalStorage, IndexedDB and/or Cookies... to store a token, I see no problem in using either one of them... I would particularly use Indexeddb.

Customer would need only send this Access Token, from it you will be able to identify the user.

  • I get it, I’ll encrypt the password. The token I already have, I am using JWT, I think I can recover only the user code after login, and every time I need to use this user I take the code and make a new query with token included.

2

Techies,

I use the localStorage and it works very well.

The architecture I use works like this:

User authenticates > API returns token > Stores token in localStorage.

Each new request has an Interceptor at the angle that validates whether the token is in the url (if it comes from an external application) or if it is in the localStorage.

If there is, add it to the request header.

Finally, to check if the token is valid, in the backend I added a middleware that does this check. Ex:

  exports.isAuthenticated = function (token) {
  try {
    return jwt.verify(token, config.secrets);
  } catch(err) {
    throw new TokenError(err.message);
  }
};

Browser other questions tagged

You are not signed in. Login or sign up in order to post.