As described in a previous question, we are in process of rebuilding a web service using two completely separated layers (servers and domains) for the frontend (HTML5 web app) and the backend (probably using Node.js).
The frontend will be served by a CDN over SSL, on the "www" subdomain (www.foo.com), while the backend will be an API server on the "api" subdomain. The API server will of course communicate over SSL and will only provide JSON-formatted data (with PJAX as an option we are evaluating).
We would like some feedback on our current design proposal.
Login
- User fills a form with username/password and submits it locally.
- The client computes the hash of the password locally (PBKDF2) and submits it to the server (e.g.
POST /loginwith the fields username and hashed password) - The server checks the hash against the one in the database, and if successful will respond with a session key.
- The client stores the session key in its local storage (HTML5).
If the login is not successful, after 3 failed attempts a captcha will be required too.
We considered the use of OAuth for authorization, but because of technical reasons we need the client on the "www" subdomain to see the password in cleartext at least for a few seconds. (that's another story :) )
Session
- The session key is sent in clear text (on SSL) along with every request and is used by the API server to authenticate the user.
- Additionally, each request must contain a "seq" field (for example, timestamp in milliseconds) that has to be greater than the previous one used. If this doesn't happen, the session key is revoked.
- The session key expires after 30 minutes.
- Before expiration, the client may request a refresh.
- The server itself may refresh the session key after 10 minutes along with a response to a request. (e.g. in the response for the method
GET /somethingthere is a field "session key" which contains a replacement session key). - When the session key is refreshed, the old one is revoked instantaneously (or after 30 seconds - even if two concurrent requests are extremely rare in our application).
Additional security: both the web server (www) and the API server will only respond to requests over SSL. The web server redirects users not using SSL to the SSL version (using HSTS: the redirect will happen only once for each user, hopefully reducing the risks for man-in-the-middle attacks).
Do you think this design (if implemented correctly) provides good protection? Is there any other recommendation you think we should consider? Thank you.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 走好不送 的文章《Security of an API server: login with password and》','https://www.manongdao.com/article-913945.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}