javascript - Express.js and Angular - authentication and login session -


i'm using expressjs , angularjs app. basically, expressjs returns 1 .html has angular single-page-application. routing done angularjs, , expressjs exposes web services (get, post).

so, if i'd regular expressjs app, i'd use passportjs , store user in session on server-side that'd it. when user tries access /admin pages, i'd use passport middleware check if route allowed , forth. plain , simple.

but angular, routing done on client side - evaluating if user logged in. now, of course, lot has been written this, solutions store kind of token key in localstorage or angular's $cookie. i'm wondering - safe?

if ran such application on public computer, , forgot logout, able @ localstorage or angular's $cookie , token, right?

so theoretical process of implementing safe authentication on client side, using angularjs?

quote:

so, if i'd regular expressjs app, i'd use passportjs , store user in session on server-side that'd it.

while session data stored on server, session identifier stored on client in cookie. if cookie stolen (such in public computer example), session can used else. client-side applications can use cookie-session-identifier scheme. when angular makes xhr requests of server, supply cookie.

as you’ve seen, json web tokens (jwts) have emerged new scheme. replace session identifier, not cookie. may see local storage being used instead, not safe. cookies in fact secure place store authentication token, if set httponly; secure flags. prevents js environment reading cookie, , prevents browser sending server on non-secure channels.

i’ve written jwts , angular apps @ length, in these 2 articles:

build secure user interfaces using json web tokens (jwts)

token based authentication single page apps (spas)

if you’re concerned public computers, have avoid storing token altogether. means retaining token in javascript memory, , supplying via http headers (typically authorization: bearer <access_tken>). tab closed, token lost , session dead. of course requires user close tab, can take step further , set low “time idle” on token, such 5 minutes. if user not use token within 5 minutes, considered in valid , have login again.

p.s. work @ stormpath , have user management service makes incredibly easy add authentication angular apps. can read in our angularjs guide


Comments

Post a Comment

Popular posts from this blog

angularjs - ADAL JS Angular- WebAPI add a new role claim to the token -

i have created angular spa webapi backend using adal js authentication.as there no roles in ad, need manually add role claims in order give users access different api controllers. the roles stored in database. expecting inject claim through call webapi after authentication ad. webapi code might this. identity.addclaim(new claim("role", "user")); var ticket = new authenticationticket(identity, props); var accesstoken = startup.oauthbeareroptions.accesstokenformat.protect(ticket); is possible replace adal idtoken new token? is viable solution or there other better way handle this? as initial token generated azuread, possible edit token add new claim? appreciated. graph api supporting group claims. see here: http://justazure.com/azure-active-directory-part-4-group-claims/ if @ examples on page, users assigned groups , app can check group in claims. in current version of portal, need app manifest , modify it.
Read more

php - CakePHP HttpSockets send array of paramms -

i problem when make request (i can request). $link = 'http://uri/path/?param1=1&sid=2&sid=3&sid=4' $http = $httpsocket = new httpsocket(); $res = $httpsocket->get($link); if check request pr($http); i see : [line] => /url/path/?param1=1&sid%5b0%5d=2&sid%5b1%5d=3&sid%5b2%5d=4 http/1.1 and i'm getting empty response because server doesn't know parameters sid%5b0%5d=2 when try send parameters array : $data = array('param1' => '1', 'sid' => array('2','3', '4')); i see same changes %5b0%5d - additional indexes. how fix it? unfortunately , can not change server side, if send request in browser, i'll normal response in json format. when make request, can parameters this: $param1 = $_get['param1']; $sid= $_get['sid']; tip: use diferente names parameters. have multiples sid. use sid1, sid2, sid3... update: can parameters this:
Read more

node.js - Using Node without global install -

i'm working on few node & electron (atom shell) projects , i'm curious how them work without user having install node globally. i've seen few applications including node directory in project contains node.exe binary. how go setting node project use binary? edit: thought should add, i've searched everywhere answer this, unrelated results.
Read more