I`m developing angular asp.net mvc app without Claim, JWT and other built-in tools.
My auth (authentication) system: "Users" table:
namespace AwakenedTalents.Models
{
public class User
{
public string Id { get; set; } // I use guid here
public string Login { get; set; }
public string Password { get; set; }
public string Email { get; set; }
public bool IsEmailConfirmed { get; set; }
}
}
When I login to the site, I send an encrypted (TrippleDES by key) Id from the ASPNET server and add it to the cookies on angular.
AuthenticationCheck (angular AuthService method):
IsAuth(): boolean {
if (this.cookies.get("authtoken")!="")
{
return true;
}
else
{
return false;
}
}
Thus, I check if the user is authenticated and call the command to get user data from the server:
UpdateUserData() {
$.get(env.environment.server_url "/login/getuserdata?authtoken=" this.cookies.get("authtoken")).done(response => {
if( response != "Not authenticate"){
userData.user = JSON.parse(response);
}
})
return userData.user;
}
Everything seems to be working fine until the mega-hacker Mr. Bob shows up. He steals other people's cookies in ANY way and replaces them with his own. Then he enters the site under the guise of another person, stealing his data. How to make protection from the mega-hacker Mr. Bob?
What did you try and what were you expecting? : I watched youtube videos :)
CodePudding user response:
You can protect your cookies by making them with the secure
flag and the httponly
flag. The secure
flag will makes sure your cookie is only sent over an encrypted (https) connection. The httponly
flag makes your cookie inaccessible to javascript. https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
It's also a good idea to have verification information that you can validate in your cookie, such as including the sessionID as part of the encrypted content to validate it against the current user's session.