I’m FrontEnd dev who isn’t that familiar to security.
Currently, Im storing user’s userId at web localStorage.
By using userId , we could request to server about user Info.
The problem is that, Im little bit afraid whether there could be potential danger about this method of handling userId.
Of course If user tried to request with other userId value, they could get other users data(But not private infos like email or password blah blah)
The reason why I allow user to get other user’s data is to check profile of other user when they want ( like on profile page)
To conclude , on my localstorage, userId is stored, which can let user to less login, to check if user is authenticate in current route. Is this not vulnerable?
Can you guys give me advise whether its enough or not?
CodePudding user response:
localstorage can store insensitive user-related information. If the user can get other user information by changing the userID, he can encrypt the userID on the server and return it to the page. If the user cannot get the encrypted user id of others, he will not be able to request. other people's information
CodePudding user response:
The main security issue I see is that anyone can change their stored userId to be authenticated as any other user.
And if your userIds are incremental, you don't even have to know any userId, you can guess them. If my userId is 108, then probably there's a 107, a 109, and so on.
My advice is to try to implement something like a JWT authentication, but if it's too much to begin with, storing a hash (like sha256) of the userId plus a secret string will make it impossible to guess. This way you can't just copy userIds to your localstorage. In the server you receive the hash and the userId, so you replicate the hash with the userId plus your secret string, and if they match, you're good to go.
CodePudding user response:
If the user sign-in successful, return json web token from the backend. Then you can store that token what ever store in the browser. In the token you can attach a payload. For a example user id. You can implement a middleware in the backend accept that token and decode it to get payload attached to it. Then you can implement logics to save or fetch data using that payload.
Also you can expire the token and regenerate a new token using refresh token. This is additional security mechanism. The token we used to access resources are called access tokens, the token we used to regenerate a new token is called refresh token.