I am building a trading website for the game CS:GO, currently when a user logs-in to the site for the first time using their steam account, I assign them a unique 20 character long string as an ID. This ID is sent to the server (NodeJS) every time they make a request to verify all the information they are sending is valid, such as the items in their inventory, their user name and profile picture etc. However as this unique ID is stored in their local storage and then sent to the server, if they get hold of another users ID they would be able to access his account on the site and therefore have the ability to steal their items. What would be a better approach to identifying users that would be more secure?
CodePudding user response:
You should issue them a Json Web Token : https://jwt.io/introduction Then they send the JWT in the request headers and you can validate that this token corresponds to the user you issued it for on your backend
CodePudding user response:
You should not store any ID or tokens in the browser ,instead only use session cookies with the backend, that is the only proven secure approach. Assuming you use the SameSite (strict or lax), Secure and HttpOnly cookies attributes.
if you need to use JWT tokens, then consider using the BFF pattern as mentioned in these videos: