[Angular] Protect The Session Id with https and http only

For the whole signup process. we need to 

  • Hash the password to create a password digest
  • Store the user's info and password digest into db
  • Create a random sessionId to assoc with user
  • Set Session Id into cookie
复制代码
async function createUserAndSession(res, credentials) {
  // Create a password digest
  const passwordDigest = await argon2.hash(credentials.password);
  // Save into db
  const user = db.createUser(credentials.email, passwordDigest);
  // create random session id
  const sessionId = await randomBytes(32).then(bytes => bytes.toString('hex'));
  // link sessionId with user
  sessionStore.createSession(sessionId, user);
  // set sessionid into cookie
  res.cookie('SESSIONID', sessionId);
  // send back to UI
  res.status(200).json({id: user.id, email: user.email});
}

-----

const util = require('util');
const crypto = require('crypto');

// convert a callback based code to promise based
export const randomBytes = util.promisify(
  crypto.randomBytes
);



-----

import {Session} from './session';
import {User} from '../src/app/model/user';
class SessionStore {
  private sessions: {[key: string]: Session} = {};

  createSession(sessionId: string, user: User) {
    this.sessions[sessionId] = new Session(sessionId, user);
  }
}

// We want only global singleton
export const sessionStore = new SessionStore();
复制代码

 

Now we have set the cookie, later, each request we send to the server, this cookie will be attached in the request header, we can confirm that:

 

But the problem is that, hacker can inject some script to get our cookie by using:

document.cookie

It enables the hacker to attack our site by just set cookie in his broswer, then in each reqest, the cookie will be sent to server, cookie is the only thing which server used to verfiy the user.

document.cookie = "......"

 

To protect that, we can make cookie can only be accessed by http, not JS:

  // set sessionid into cookie
  res.cookie('SESSIONID', sessionId, {
    httpOnly: true, // js cannot access cookie
  });

We can see that "HTTP" column was marked.

 

Second, we need to enable https protect.

To do that in server:

  // set sessionid into cookie
  res.cookie('SESSIONID', sessionId, {
    httpOnly: true, // js cannot access cookie
    secure: true // enable https only
  });

 

We also need to adjust angular cli so that app run on https:

package.json:

"start": "ng serve --proxy-config ./proxy.json --ssl 1 --ssl-key key.pem --ssl-cert cert.pem",
// proxy.json

{
  "/api": {
    "target": "https://localhost:9000",
    "secure": true
  }
}

We can see that "Secure" column now is also marked.

posted @   Zhentiw  阅读(2837)  评论(0编辑  收藏  举报
编辑推荐:
· 深入理解 Mybatis 分库分表执行原理
· 如何打造一个高并发系统?
· .NET Core GC压缩(compact_phase)底层原理浅谈
· 现代计算机视觉入门之:什么是图片特征编码
· .NET 9 new features-C#13新的锁类型和语义
阅读排行:
· Spring AI + Ollama 实现 deepseek-r1 的API服务和调用
· 《HelloGitHub》第 106 期
· 数据库服务器 SQL Server 版本升级公告
· 深入理解Mybatis分库分表执行原理
· 使用 Dify + LLM 构建精确任务处理应用
历史上的今天:
2016-08-29 [GIF] The Phase Property in GIF Loop Coder
2016-08-29 [GIF] GIF Loop Coder Single Mode
点击右上角即可分享
微信分享提示