[Angular] Protect The Session Id with https and http only
For the whole signup process. we need to
- Hash the password to create a password digest
- Store the user's info and password digest into db
- Create a random sessionId to assoc with user
- Set Session Id into cookie
async function createUserAndSession(res, credentials) { // Create a password digest const passwordDigest = await argon2.hash(credentials.password); // Save into db const user = db.createUser(credentials.email, passwordDigest); // create random session id const sessionId = await randomBytes(32).then(bytes => bytes.toString('hex')); // link sessionId with user sessionStore.createSession(sessionId, user); // set sessionid into cookie res.cookie('SESSIONID', sessionId); // send back to UI res.status(200).json({id: user.id, email: user.email}); } ----- const util = require('util'); const crypto = require('crypto'); // convert a callback based code to promise based export const randomBytes = util.promisify( crypto.randomBytes ); ----- import {Session} from './session'; import {User} from '../src/app/model/user'; class SessionStore { private sessions: {[key: string]: Session} = {}; createSession(sessionId: string, user: User) { this.sessions[sessionId] = new Session(sessionId, user); } } // We want only global singleton export const sessionStore = new SessionStore();
Now we have set the cookie, later, each request we send to the server, this cookie will be attached in the request header, we can confirm that:
But the problem is that, hacker can inject some script to get our cookie by using:
document.cookie
It enables the hacker to attack our site by just set cookie in his broswer, then in each reqest, the cookie will be sent to server, cookie is the only thing which server used to verfiy the user.
document.cookie = "......"
To protect that, we can make cookie can only be accessed by http, not JS:
// set sessionid into cookie res.cookie('SESSIONID', sessionId, { httpOnly: true, // js cannot access cookie });
We can see that "HTTP" column was marked.
Second, we need to enable https protect.
To do that in server:
// set sessionid into cookie res.cookie('SESSIONID', sessionId, { httpOnly: true, // js cannot access cookie secure: true // enable https only });
We also need to adjust angular cli so that app run on https:
package.json:
"start": "ng serve --proxy-config ./proxy.json --ssl 1 --ssl-key key.pem --ssl-cert cert.pem",
// proxy.json { "/api": { "target": "https://localhost:9000", "secure": true } }
We can see that "Secure" column now is also marked.
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 深入理解 Mybatis 分库分表执行原理
· 如何打造一个高并发系统?
· .NET Core GC压缩(compact_phase)底层原理浅谈
· 现代计算机视觉入门之:什么是图片特征编码
· .NET 9 new features-C#13新的锁类型和语义
· Spring AI + Ollama 实现 deepseek-r1 的API服务和调用
· 《HelloGitHub》第 106 期
· 数据库服务器 SQL Server 版本升级公告
· 深入理解Mybatis分库分表执行原理
· 使用 Dify + LLM 构建精确任务处理应用
2016-08-29 [GIF] The Phase Property in GIF Loop Coder
2016-08-29 [GIF] GIF Loop Coder Single Mode