javascript - Are there any security concerns storing HTTP Basic authorization header in localStorage? -

-

I am creating a web application that accesses a private API. The API I am using uses HTTP Basic Authentication on TLS. My client has requested the "Remember Me" functionality for the web app so that users can maintain consistent authentication on a given device.

My quick and dirty solution is valid after localStorage in authorization header. Of course, to reach a user's device without any limit, whatever salt is worth to its weight, it can copy the athther header from localStorage and the user's login / password combo Can be decoded to retrieve it.

In addition to the Total Device Agreement, are there any other security implications for storing such sensitive data in localStorage ? Is local storage as a store for sensitive data as a password acceptable? If not, how would you continue to perform such data on a user's device beyond a personal browser session?

(I want all people to use their private key ... passwords are such a 90's)

edit to read it Later it is clear that storage of sensitive data is generally a bad idea in the local storage , but in this case what is the better option for authentication?

I think it is useful to store some things related to login or password in favor of the user There is a bad idea.

But after a user is logged in, you can store a random string (for example a random hash) in the user's favor and in your database. When the user comes back, you can compare both, and if they are the same, you can enter the user. And you can ask the user to enter your password for sensitive actions (password change or login etc.). Even if the hash is stolen, no one will be able to get full access to this account.

EDIT: This concept is already used. I have never tested it with local storage

Comments

Post a Comment

Popular posts from this blog

java - ImportError: No module named py4j.java_gateway -

-
I'm trying to call the Python using the Java program py4j . I've been installing the plug-in Eclipse and test name Piidvi project. I'm trying to execute the following part of the code found on py4j webpage: Import from py4j.java_gateway to JavaGateway, java_import gateway = JavaGateway () jvm = gateway.jvm java_import (jvm, '' Org.eclipse Kkorkrisorsej. * ") Vrkspes_rut = Jvankresourkesplginkgetvrkspas (). GetRoot (Gateway .help (workspace_root, '* Projects *') project_names = [project.getName () (for projects workpace_root.getProjects))] print (Projekt_nam) But I There is an error in import. I have checked that the P4JJ is present in the Jar Eclipse plugin directory. Can anyone help please? I had to install the py4j application
Read more

python - Receiving "KeyError" after decoding json result from url -

-
I am new to Python I am trying to parse JSON result from a URL. Basically, I was using the following: response = urllib.request.urlopen (url) json_obj = json.load (response) It should be a stroke "str 'not' bytes' in the lines of a given" JSON object, so after searching on the StackoverView Flo, I decode the response in this way: F = urllib.request.urlopen (Url) charset = f.info (). Get_param ('charset', 'utf8') data = f.read () decoded = json.loads (data.decode (charset)) If I print "decode" I is as follows: { 'link': { 'summary data': 'https: // localhost / piwebapi / streams / p0_7qHaW4UHU-RlCaz8tpasAAQAAAAU0hJTExNQU42NDIwXFNJTlVTT0lE / summary' 'value': 'https: // localhost / Piwebapi / streams / P0_7qHaW4UHU-RlCaz8tpasAAQAAAAU0hJTExNQU42NDIwXFNJTlVTT0lE / price ',' InterpolatedData ':' https: // localhost / Piwebapi / streams / P0_7qHaW4UHU-RlCaz8tpasAAQAAAAU0hJTE...
Read more

.net - Creating a new Queue Manager and Queue in Websphere MQ (using C#) -

-
"itemprop =" text "> I am writing applications that use WebSphere MQ to send messages. My unittests (for flow), I want to verify that I have put the correct message on the response queue. I am trying to figure out how to do this. My main obstacle is that I think it might be scary to clear the queue before running in my queue because the same queue can be used by other applications, I thought a decent solution would be a new line The manager will remove the queue for my solidarity and after using it. So my question is: Is it possible to use C # by using queue manager and queue? After the For future reference and future people, who want to make queues. I thought how to make and remove IBM MQ QE (not quenhers) with PCM messaging. It is not very simple, but it can be done. We have implemented it in a library and it is being used to create and delete commands before and after integration tests. The most important part of the code in this library is shown in the...
Read more