angularjs - Ionic + ngCookies + PHP authentication, how secure can it be? -


i'm developing mobile app wish implement simple user authentication, , i'm new hybrid mobile developing front-end restrictions, i'm quite terrified idea of holding back-end related data in form of localstorage / sessionstorage / ngcookies (as have seen people do).

so question is, how secured can these methods be of holding such data? app users have ability access , modify let's say... sessionstorage, application itself? cause sure easy on web.

sorry if it's stupid question, don't wish take security risks when comes this. help!

tldr; cookies , storages should assumed stored in plain text , accessible client side script comes same domain. assume worst; can go wrong script due bugs or xss attacks. if data used both client , server again, definetly sign it. if data relevant server side code, sign , encrypt it. if data printing stuff screen or dom evaluation, leave plain text.


let's clear cookies, session storages , local storages before beginning example implementation.

cookies data created server or client, stored in plain text browsers, sent on every http request server if path matches. storing authentication tokens, meta data regarding tracking, analytic, website interface preferences, shopping carts , many other.

storages - indicated name - storage space assigned domain , scripts domain , xss attacks can alter it. means, if use them purposes listed above, have append data stored in them http requests hand. if site depends on many async http calls, not wrong use storages cookies. otherwise useful caching things template data , site resources.


if use cookies storing user related data needed server, kind of cookies can encrypted on server side before sent client. can still access such cookies ngcookies harm can done injected code may invalidate them. if somehow encryption scheme revealed , become readable attacker, can invalidate modifications them appending signature (created secure hash algorithm) on every store , check signature on every retrieval. let's illustrate process.

$userstate = json_encode($yourstateobjectoranassociativearray); $sign = my_hash($userstate); $encryptedstate = encrypt($userstate); setcookie("user" , $encryptedstate); setcookie("sign" , $sign); 

here have encoded our state json, first generated hash. can use sha1, sha256 , such stored key choose come my_hash() function. below example correct shouldn't use since shouldn't know algorithm.

// hash() reserved use else function my_hash($object) {     return sha1(md5($object) . "some giberish key stored config data or in db" . sha1($object)) } 

note my_hash() not extremely secure since uses static string key , generation structure not complex. in end, sha1() of randomly structured string. sufficient cookie sign though.

you can write own encrypt() / decrypt() pair using aes encryption or equally secure algorithm of choice. here example site.

now our cookie stored , ready sent on next request. below how decrypt , validate cookie example above.

$sign = $_cookie["sign"]; $encryptedstate = $_cookie["user"];  $userstate = decrypt($encryptedstate); //if fails, indicates tried replace cookie hand, failed attack  $assoc = true; //if true, json_decode returns array, otherwise returns object $yourstateobjectoranassociativearray = json_decode($userstate, $assoc); //if fails, indicates tried replace cookie hand, failed attack  if($sign == my_hash($yourstateobjectoranassociativearray)) {     //noone modified cookie, safe     //do } else {     // tried replace sign cookie imitate server failed     // or     // managed decrypt cookie , modified failed generate valid sign (very unlikely)     // still safe     // log line , check every once in while detect unsuccessful hackers } 

the part of using state object can used implement many kinds of restrictions , tracking mechanisms. example storing system time during creation of cookie gives chance expire later. embedding client ip way restrict sharing cookies across networks.


Comments

Popular posts from this blog

Payment information shows nothing in one page checkout page magento -

tcpdump - How to check if server received packet (acknowledged) -