Search code examples
angularsessionsession-storage

How to generate a server side session variable in Angular?

I have jz completed a little hack to my own angular application. Firstly, i have a list of menu navigation with PUBLIC, MEMBER, ADMIN access roles. Upon login, i stored roles 'MEMBER' to user where he could view PUBLIC and MEMBER links. (using Chrome) But later i turn on

Developer Tools > Application > Storage > Session Storage

manipulate the 'role' variable from 'MEMBER' to 'ADMIN' and i can view the secret admin links.

It's not a coding structure question but rather 'how to store session variable in secured ways'. Before that, i thought PHP's session variable is equivalent to 'Session Storage', which the community says SESSION is not change-able by user https://stackoverflow.com/a/6912409/8163746.

Then now i learnt that, there are two types of SESSIONs, server and client side session. For a standard angular app, what is the best way to store 'email', 'role' kinda deal and yet can't be modify by user? Reason i need them in session is they can be easily call out to

Role - Show/Hide navigation menu items
Email - to perform SQL filter, SELECT fields FROM Record WHERE email=Session.Email

Thanks for the advice.

Solution

  • Everything on the browser can be modified by the user. So you need to validate whatever session mechanism you choose on the server too before executing an action.

    For instance, you could use Json Web Tokens (JWT).

    1. When you log in with your API, the API generates a secure token which is sent to the client on successful authentication. That secure token is encrypted and can contain any info, such as user id and role.

    2. That token is then stored on the browser (either in local storage, session storage or cookies). Cookies is the most secured options and will allow authentication to work with angular universal

    3. The token is passed along each API call. If you are using cookies, they'll be passed on automatically. If using local or session storage, you can create a HttpInterceptor to add the token to the request.

    4. The API then validates that the token is valid and the user role before executing the action.

    So even if you store client side the user role and if the client modify that role, the action won't be executed API side, which is the most important.