When the user want to be connected on the Taaltoolbox platform, he receive a random UID that identifie the user and we put the user id in JWT and for each new request from this one we will send the token in the cookie which is in the header of the request.
Actual Context
Currently we receive user information in the clear and store it in the browser's local storage which allows us to access user data at any time.
This poses a security concern because we have access to the user's sensitive information in the browser and a potential attacker to gain access to this information.
Solution
First when the user arrives on the site, he must log in using his email and his username. After sending your login information, you go through the following steps on the Backend side
Verification of the entered password
Collecting user information
Generation of the JWT from the user's information (his id)
Generation of a random UID which will be used for the user session
Put the JWT in the header of the http response and the random UID in the user's sessionStorage
When the user wishes to access sensitive data each time (his personals informations or her role) the validity of the JWT and the random UID will be checked in backend.
Description
When the user want to be connected on the Taaltoolbox platform, he receive a random UID that identifie the user and we put the user id in JWT and for each new request from this one we will send the token in the cookie which is in the header of the request.
Actual Context
Currently we receive user information in the clear and store it in the browser's local storage which allows us to access user data at any time.
This poses a security concern because we have access to the user's sensitive information in the browser and a potential attacker to gain access to this information.
Solution
First when the user arrives on the site, he must log in using his email and his username. After sending your login information, you go through the following steps on the Backend side
When the user wishes to access sensitive data each time (his personals informations or her role) the validity of the JWT and the random UID will be checked in backend.