javascript - After requesting the login interface, is it safe to store the secret key returned by the interface in the cookie? If the secret key in the cookie is obtained, the interface can be called at will.
PHP中文网
2017-05-16 13:02:05
After requesting the login interface, is it safe to store the secret key returned by the interface in the cookie? If the secret key in the cookie is obtained, the interface can be called at will
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
Are you talking about mobile APP? This generally does not require a session. When logging in, a token value is returned. The app uses this token as authentication for other interfaces. This token can agree on an encryption verification method in the front and backend.
If you consider safety issues:
Others first need to know when your token value was returned, and then they need to capture the packet. Then you can consider using https for the backend interface URL, so that even if others capture the packet, nothing can be captured.
Secondly, the token you return can return a token encrypted with RSA private key. The app saves the public key decryption token, and the subsequent token or some other sensitive parameters can be encrypted with RSA. Others cannot encrypt or decrypt without your public key.
Suppose someone else decompiles your app and finds the token you stored in the code, then you can also pass an additional parameter st for verification. Here is a simple one: Arrange all your parameters in alphabetical order , transcode, md5, get a value and pass it over. After accepting your parameters, the background does the same thing to compare the value of st. If it is inconsistent, it is considered to have been modified, and the background returns an illegal parameter prompt.
You can also set one public key for one app (so-called one machine, one secret), and the background can update the public key on the app side from time to time. In this way, even if your verification rules and RSA public key are known to others, then others can only manipulate the app on this phone to minimize losses.
——————————————
I didn’t notice that you were talking about javascript, but javascript can also be implemented in this way.
You can imagine that the token contains your login information, IP address, login time, etc., and a series of modifications, and it has its own expiration date and cannot be used after that ~ so it is still very safe
You can refer to the login interface of the WeChat applet
https://mp.weixin.qq.com/debu...