Home > Back-end >  Before and after the end of the separation, to generate the token, the token is stored in more appro
Before and after the end of the separation, to generate the token, the token is stored in more appro

Time:09-17

Before and after the end of the separation, to generate the token, the token is stored in where more appropriate

1. Saved in cookies, background, and set the httponly=true,,,,,,, z as previous session mode of this kind of feeling, seems not science

2, the front end to save! But where is the front end and save,,, save cookies, front is likely to be attacked, not safe!

Your bosses, you save the token, when passing information is how to do?????

CodePudding user response:

Directly with JWT generated token need not storage, decoding

CodePudding user response:

reference 1st floor Wales_ response:
token without a storage is generated by JWT, decoded directly


Is decoded directly, and, after you generate token, the token must be kept at the front or cookie, and to make subsequent requests to use oh, what I said is the problem

CodePudding user response:

Vue that existed Vuex inside

CodePudding user response:

reference Farmermark993 reply: 3/f
vue that set of words existed Vuex


I feel, or the background setting cookies, then banned from front end access the cookies are safer

CodePudding user response:

Cookie is not stored in the browser, and what is the relationship between the background, since the separation of front and rear end, token must be retained on the client side, which is the attack or be attacked, if we want to ensure safety, only starting from checking devices, such as token add more constraints, such as your browser, such as seven of the eight are added together, also had better don't use JWT, this can't take the initiative to let his failure

CodePudding user response:

Front end in the localstorage, localstorage don't participate in server interaction, not caught, absolute security,
But the back-end to verify, front must be introduced into, for example: http://x.x.com/save? Token=xxx& A=1 & amp; B=2,
This way is equivalent to streaking, post is, it is recommended that the modified:
Confused with the MD5 token, sample code: var token=MD5 (MD5 (' a=1 & amp; B=2 & amp; Time=current time & amp; Token=XXX '));
Callback interface: http://x.x.com/save? Token=token& obfuscated; Time=current time & amp; A=1 & amp; B=2

MD5 irreversible, plus time validation, even if be caught, also can't get real token,
Confusion not tamper with the parameters, using the same parameter time has expired,
Check before and after the end of the logic consistent, safety factor of 99.9%

CodePudding user response:

Normal on cookies, then set the httponly can, of course your token must be the same as sessionid, can be traced back to a single user,

If this attack using worry, you is simulating an attack methods, at least I don't know how this can be used (not to reveal my own login information), and if this can attack, it is now all over the HTTP protocol has a problem, almost all need to log in to the site there is a problem, because the session is so of the implementation, now almost all of the network system is achieved based on the session login condition of,

CodePudding user response:

refer to 7th floor rumlee response:
normal on cookies, and then set the httponly can, of course your token must be the same as sessionid, can be traced back to a single user,

If this attack using worry, you is simulating an attack methods, at least I don't know how this can be used (not to reveal my own login information), and if this can attack, it is now all over the HTTP protocol has a problem, almost all need to log in to the site there is a problem, because the session is so of the implementation, now almost all of the network system is based on the session to implement login condition,


If your token is not binding, and login information cannot be traced back to a single user, that no matter where you are not safe, has nothing to do with where, as long as you will be exposed to transfer over a network,

CodePudding user response:

Keep Redis, separate management, safe and effective

CodePudding user response:

In the localstorage and cookies can be

Page link:https//www.codepudding.com/Backend/6812.html

Prev:The distributed deployment scenarios, synchroinzed the use of locks and the Lock range
Next:ES the custom query rules
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding