dongyong1400
2018-03-22 00:14
浏览 191
已采纳

使用localStorage和Websocket自动授权

I have a project I'm working on which is a single-page dynamic web app which uses Javascript and a Websocket to retrieve data from a Golang server. I've implemented the auto-authorization method described in this article. I was referred to that article from this one which at the end mentions to check out the first article I linked (just in case you were wondering what that first article was "improving" upon).

This is how my setup works:

  • Client loads app, and before anything dynamic loads, client connects to Websocket
  • Client sends login, device token, and session token through Websocket (of course if they were logged in before) from localStorage
  • Golang Websocket server checks if database has matching login, device token, session token, client's browser/version, etc (I get a few other pieces of data to match a device with the user's HTTP request for extra security)
  • If there's a match, Golang generates a new session token, updates the database match with it, and sends it back to the client
  • Client gets session token and updates it in their localStorage to use the next time they load the site

Now, don't get me wrong. Everything is working great... but there's one problem:

If a user logs in, then reloads the page a bunch of times as fast as they can, sometimes the websocket and server don't have enough time to get the user's next session token back to them. This of course causes their tokens to expire and be removed from the database and notifies the user that their credentials have either been expired or stolen (which really doesn't look good from a business standpoint).

I have some thoughts on solutions, but none seem promising in scalability and for the long run.

All thoughts and solutions on the matter are appreciated!

图片转代码服务由CSDN问答提供 功能建议

我正在处理一个项目,该项目是使用Javascript和Websocket的单页动态Web应用程序 从Golang服务器检索数据。 我已经实现了本文中所述的自动授权方法。 我从这篇文章中引用了该文章,最后提到了 查看我链接的第一篇文章(以防万一您想知道第一篇文章在“改进”什么)。</ p>

这是我的设置的工作方式:</ p> \ n

  • 客户端加载应用程序,在动态加载任何内容之前,客户端连接到Websocket </ li>
  • 客户端通过Websocket发送登录信息,设备令牌和会话令牌(当然, 从本地存储</ li>
  • Golang Websocket服务器(之前登录)检查数据库是否具有匹配的登录名,设备令牌,会话令牌,客户端的浏览器/版本等(我还获得了一些其他数据来匹配设备) 并通过用户的HTTP请求提供额外的安全性)</ li>
  • 如果存在匹配项,Golang会生成一个新的会话令牌,并更新与之匹配的数据库,然后将其发送回客户端</ li>
  • 客户端获取会话令牌并更新 在他们的localStorage中添加它,以便下次加载站点时使用</ li> </ ul>

    现在,请不要误会我的意思。 一切工作正常……但是存在一个问题</ strong>:</ p>

    如果用户登录,则将尽快重新加载页面, 有时,websocket和服务器没有足够的时间来将用户的下一个会话令牌找回来。 当然,这会导致其令牌过期并从数据库中删除,并通知用户其凭据已过期或被盗(从业务角度来看,这看起来确实不好)。</ p> < p>我对解决方案有一些想法,但是从长远来看,似乎在可扩展性方面都没有希望。</ p>

    对此事的所有想法和解决方案都表示赞赏!</ p> </ DIV>

1条回答 默认 最新

相关推荐 更多相似问题