3

I have jz completed a little hack to my own angular application. Firstly, i have a list of menu navigation with PUBLIC, MEMBER, ADMIN access roles. Upon login, i stored roles 'MEMBER' to user where he could view PUBLIC and MEMBER links. (using Chrome) But later i turn on

Developer Tools > Application > Storage > Session Storage

manipulate the 'role' variable from 'MEMBER' to 'ADMIN' and i can view the secret admin links.

It's not a coding structure question but rather 'how to store session variable in secured ways'. Before that, i thought PHP's session variable is equivalent to 'Session Storage', which the community says SESSION is not change-able by user https://stackoverflow.com/a/6912409/8163746.

Then now i learnt that, there are two types of SESSIONs, server and client side session. For a standard angular app, what is the best way to store 'email', 'role' kinda deal and yet can't be modify by user? Reason i need them in session is they can be easily call out to

Role - Show/Hide navigation menu items
Email - to perform SQL filter, SELECT fields FROM Record WHERE email=Session.Email

Thanks for the advice.

Weilies
  • 500
  • 1
  • 7
  • 27

3 Answers3

3

Everything on the browser can be modified by the user. So you need to validate whatever session mechanism you choose on the server too before executing an action.

For instance, you could use Json Web Tokens (JWT).

  1. When you log in with your API, the API generates a secure token which is sent to the client on successful authentication. That secure token is encrypted and can contain any info, such as user id and role.

  2. That token is then stored on the browser (either in local storage, session storage or cookies). Cookies is the most secured options and will allow authentication to work with angular universal

  3. The token is passed along each API call. If you are using cookies, they'll be passed on automatically. If using local or session storage, you can create a HttpInterceptor to add the token to the request.

  4. The API then validates that the token is valid and the user role before executing the action.

So even if you store client side the user role and if the client modify that role, the action won't be executed API side, which is the most important.

David
  • 33,444
  • 11
  • 80
  • 118
0

You can store the session values in heap as a variable. You can create a session service which will take care of the session variables and will store it in a Map.

Sample project, https://stackblitz.com/edit/angular-ivy-oq4utv

With this approach the session values will be lost if the user refreshes/reloads the page and you will have to set all the session values again on each page refresh/reloads.

Ani
  • 370
  • 2
  • 9
0

The web browser has cookies which in the case of PHP default tracks it from the PHPSESSID cookie.

You can read about it here https://www.php.net/manual/en/book.session.php and here https://www.php.net/manual/en/session.idpassing.php

The Chrome LocalStorage and SessionStorage are local HTML5 features unrelated to PHP session https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage

To your question, I think you might be thinking about it the wrong way around. You want the server to give the client this kind of information not the other way around.

If you are using Angular and an API it should work RESTfully and using PHP session isn't a scalable nor reliable solution. https://en.wikipedia.org/wiki/Representational_state_transfer

If you need to validate user details, the client should send a token which the server can verify. If you want user details cached on the client, after login the API can return the details of who the user is and that can be saved into HTML5 SessionStorage

dbmuller
  • 318
  • 4
  • 7