如何安全地在angularjs中存储密码
我计划通过将用户输入的用户名/密码存储到javascript变量中,在非ssl加密站点中进行安静登录。
I'm planning to do a restful login in a non ssl encrypted site by storing the username / password entered by the user into javascript variable.
每次用户做一个请求,我的应用程序首先从服务器请求令牌,然后将其与存储的$ scope.password组合,然后散列发送到服务器进行验证。如果验证是正确的,那么请求将继续,否则它将被停止。
Everytime the user does a request, my app would first request a token from the server then combined it with the stored $scope.password, hashed then sent to the server for validation. If the validation is correct,then the request will continue, otherwise it will be stopped.
此外,每次验证完成时,服务器都会创建一个新令牌,无论是它是否有效。
Also, everytime the validation is done, the server creates a new token, whether the it is valid or not.
据我所知,如果我使用立即函数将是安全的,但由于我将使用angularjs,我不会认为这是可能的,那么如何确保存储在内存中的用户名/密码不会被黑客攻击?
According to my knowledge, it would be secure if I use immediate functions, but since I'm going to use angularjs, I don't think it is possible, so how do I ensure that the username / password stored in the memory is not hackable?
谢谢。
你不能阻止某人从内存中读取用户名和密码,但你可能会花一些精力去发送到服务器的内容。
You cannot prevent that someone reads the username and password from the memory, but you could spend some effort on what is send to the server.
您应该在将密码和用户名发送到服务器时尝试对其进行哈希处理。使用用户会话特有的盐,因此更难以预测,并且需要完整记录整个流量。
You should try to hash the password and username when sending them to the server. Use a salt that is unique to the users session, so it is more unpredictable and requires a full record of the whole traffic.
这不会产生绝对的安全性,但是提高其他人阅读所有内容的标准。
This will not result in absolute security, but raise the bar for some one else to read everything.
PS:我强烈建议使用SSL。
P.S.: I would strongly recommend to use SSL.