使用LocalStorage注销
我有一个带有JWT身份验证的REST API,我在前端与JQuery和Ajax一起使用了我的消费。 我不允许使用服务器端语言。 在登录过程中,我将身份验证令牌和用户名存储在 localstorage 中。在注销期间,我清除了LocalStorage。
在登录过程中:
localStorage.setItem('token', token);
localStorage.setItem('username', username);
当用户单击“注销”按钮时,我清除了LocalStorage并将其重定向到登录页面:
localStorage.clear();
window.location.replace('login.html');
但是,即使我清除本地存储,当我检查浏览器的“开发工具”选项卡时,我仍然可以看到所有项目那是在我的地方存储中存储的。这意味着用户可以访问应用程序的特定页面,而无需真正登录应用程序。这是一个威胁,因为他只能在身份验证后访问页面。
当我在LocalStorage上选择 SessionStorage 时,注销后的会话速度确实为空。但是用户不能在应用程序中,并在新选项卡中打开联系页面(例如)。我希望用户仍在使用该应用程序(即使在新选项卡中)不单击“注销”按钮。
如何有效地达到我的要求?
I have a rest api with jwt authentication that I consume exlusively with jquery and ajax in the frontend. I am not permit to use a server side language.
During the login, I store the authentication token and the username in the localStorage. And during the logout, I clear the localStorage.
During the login:
localStorage.setItem('token', token);
localStorage.setItem('username', username);
When the user clicks on the logout button, I clear the localStorage and redirect him to the login page:
localStorage.clear();
window.location.replace('login.html');
But even if I clear the local storage, when I check the development tools tab of my browser I can still see all items that was stored in my localStorage. That means that a user can access a specific page of the application without really log in the application. This is a threat because he should access a page only after authentication.
When I choose sessionStorage over localStorage, the sessionStorage is really empty after logout. But a user can not be in the application and open the contact page (for example) in a new tab. I would like the user still using the application (even if in a new tab) if he doesn't click on the logout button.
How can I efficiently achieve my requirements ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论