使用 Firebase 进行会话管理?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/14094010/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Session management with Firebase?
提问by zodvik
I am building a basic webapp using Firebase that requires authentication and session handling. Going over the docs for Firebase Auth, I decided to use the email/passwordoption over the Facebook login.
我正在使用 Firebase 构建一个需要身份验证和会话处理的基本 web 应用程序。浏览 Firebase Auth 的文档,我决定在 Facebook 登录上使用电子邮件/密码选项。
Upon successful login, we get a tokenthat could be used again for logging in when the page refreshes or on a new tab using auth(). But, for that we would need to save the token somewhere on the client side. Going through the source code for Firefeedwhich implements auth and session handling, the tokenis saved in the localStorageof the user's browser.
成功登录后,我们会得到一个token可以在页面刷新或在新选项卡上使用auth(). 但是,为此我们需要将令牌保存在客户端的某个地方。查看实现身份验证和会话处理的Firefeed的源代码,它token保存在localStorage用户浏览器的 .
How secure is this approach? Since localStoragedata would be visible to anyone using the browser. Is there any better alternative to this?
这种方法有多安全?因为localStorage任何使用浏览器的人都可以看到数据。有没有更好的替代方法?
回答by Andrew Lee
The tokens returned by the Simple Login are time-bound, user-specific tokens. If compromised, they will at worst allow an attacker to impersonate that user for a limited period of time. They do not contain the user's password or other sensitive data.
Simple Login 返回的令牌是有时限的、用户特定的令牌。如果受到威胁,它们最坏的情况是允许攻击者在有限的时间内冒充该用户。它们不包含用户的密码或其他敏感数据。
localstorage can only be accessed by Javascript on the host domain from which it was saved, so other sites you visit will have no access to it (assuming the browser or your site haven't been compromised, but if they have, all bets are off...)
localstorage 只能在保存它的主机域上通过 Javascript 访问,因此您访问的其他站点将无法访问它(假设浏览器或您的站点没有受到损害,但如果他们受到损害,则所有赌注都将关闭) ...)
So, short answer, this approach is quite secure.
所以,简短的回答,这种方法是非常安全的。
