How to implement your own authentication \ authorization for the site?

B

Boniface2014-05-22 13:37:29

Angular

Boniface, 2014-05-22 13:37:29

Hello! Tell me, please, what could be the security problems if you do the authorization as follows...
There is a website. The client is written in angular.js and the server in node.js. For authorization, the client sends a username and password to the server. In response from the server, upon successful authorization, md5 hash comes, let's call it access token. This token is stored on the server in redis in the user's session. On the client, the token is stored in localstorage.
All subsequent requests come with an access token in the header with the user id. Yes, the token also has a lifetime, if it expires, the user must again send the login and password for authorization.
All requests go through https. What are the holes in such an implementation?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

maxaon, 2014-05-22
@maxaon

There are two main problems:
1. How the token is generated, stored and deleted. Is there a binding to IP, etc.
2. Hijacking a token through xss or in another way, since you can read it directly. The most rational approach would be to store in cookies with the httponly flag. For paranoia, you can still split the token into two parts. One in the cookie, the other is sent manually in the request/header.
But it's even better to use http digest authentication.

H

hostwell, 2015-11-10
@hostwell

elementary