javascript - How to verify user identity in real time on a web page?
黄舟2017-05-16 13:38:11
0
7
665
Premise: The user has gone through the login verification process. Question: So how does the user verify his identity when he obtains his private data from the server? (Note: express framework used for backend)
session! session can be stored in server memory or a cache like redis. There are mature third-party session libraries, in which sessions can exist in redis/database/local. You can save the session in redis like this:
var session = require('express-session');
var RedisStore = require('connect-redis')(session);
app.use(session({
store: new RedisStore({
host: CONF.REDIS_URL(),
port: 6379
}),
secret: 'keyboard cat',
resave: false,
saveUninitialized: false,
cookie: {maxAge: 14400000}
}));
After the user passes the verification, certain information will be saved in the background to avoid repeated verification in the future. The commonly used method in the past was Session. Session is based on Cookie. Later, the Token method was gradually developed, using Token to replace the Seesion-Id in Cookie. As The backend determines the basis for logged in users, and then JWT (JSON Web Token) appears.
But having said that, if there are really important operations that require special caution, there should be two-step verification, such as random SMS passwords for payment, and various security Token (or random password) Apps, etc. The simplest is to require you to enter the password again to confirm after logging in for a certain period of time to perform high-security operations, such as operations such as deleting important data by the administrator.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
Use session or json web token
session, write the user id into the session
when the verification is successful
req.session.user = user;session!
session can be stored in server memory or a cache like redis.
There are mature third-party session libraries, in which sessions can exist in redis/database/local.
You can save the session in redis like this:
Use sessionID to make a token, and check this token for every request
Negotiate with the backend to adjust the interface, and then verify his identity in the backend
After the user passes the verification, certain information will be saved in the background to avoid repeated verification in the future. The commonly used method in the past was Session. Session is based on Cookie. Later, the Token method was gradually developed, using Token to replace the Seesion-Id in Cookie. As The backend determines the basis for logged in users, and then JWT (JSON Web Token) appears.
But having said that, if there are really important operations that require special caution, there should be two-step verification, such as random SMS passwords for payment, and various security Token (or random password) Apps, etc. The simplest is to require you to enter the password again to confirm after logging in for a certain period of time to perform high-security operations, such as operations such as deleting important data by the administrator.