Just for fun, let's encrypt some stuff in client-side JavaScript and have a PHP server decrypt it. Note that this will never replace TLS (HTTPS).
You'll want the latest release of sodium-plus for this. (As of this writing, it's version 0.4.0.)
<script
src="/static/js/sodium-plus.min.js"
integrity_no="sha384-lv7SVE0eb0bXA3fgK6PwlhViiUwG6tBuMAhS8XX7RvBvyRcdEdJ8HKtFgs4vHTUh"
TLDR: JWTs should not be used for keeping your user logged in. They are not designed for this purpose, they are not secure, and there is a much better tool which is designed for it: regular cookie sessions.
If you've got a bit of time to watch a presentation on it, I highly recommend this talk: https://www.youtube.com/watch?v=pYeekwv3vC4 (Note that other topics are largely skimmed over, such as CSRF protection. You should learn about other topics from other sources. Also note that "valid" usecases for JWTs at the end of the video can also be easily handled by other, better, and more secure tools. Specifically, PASETO.)
A related topic: Don't use localStorage (or sessionStorage) for authentication credentials, including JWT tokens: https://www.rdegges.com/2018/please-stop-using-local-storage/
The reason to avoid JWTs comes down to a couple different points:
| // Harden Jenkins and remove all the nagging warnings in the web interface | |
| import jenkins.model.Jenkins | |
| import jenkins.security.s2m.* | |
| Jenkins jenkins = Jenkins.getInstance() | |
| // Disable remoting | |
| jenkins.getDescriptor("jenkins.CLI").get().setEnabled(false) | |
| // Enable Agent to master security subsystem |
| [alias] | |
| # Basically `log --oneline --decorate --graph` with different colors and some additional info (author and date) | |
| lg = log --graph --abbrev-commit --decorate --format=format:'%C(yellow)%h%C(reset) %C(normal)%s%C(reset) %C(dim white)%an%C(reset) %C(dim blue)(%ar)%C(reset) %C(dim black)%d%C(reset)' | |
| # lg (see above) with --first-parent | |
| lgp = log --graph --abbrev-commit --decorate --format=format:'%C(yellow)%h%C(reset) %C(normal)%s%C(reset) %C(dim white)%an%C(reset) %C(dim blue)(%ar)%C(reset) %C(dim black)%d%C(reset)' --first-parent | |
| # https://stackoverflow.com/questions/61510067/show-specific-commits-in-git-log-in-context-of-other-commits | |
| hl = "!f() { cd -- ${GIT_PREFIX:-.}; grep --color -E \"$(git log --pretty=%h \"$@\" | tr '\n' '|')\" || true; }; f" | |
| hlp = "!f() { cd -- ${GIT_PREFIX:-.}; less -R -p $(git log --pretty=%h \"$@\" | tr '\n' '|'); }; f" |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <opml version="1.0"> | |
| <head> | |
| <title>Subscriptions - [email protected]</title> | |
| </head> | |
| <body> | |
| <outline text="PHP" title="PHP"> | |
| <outline htmlUrl="http://frederickvanbrabant.com" title="frederickvanbrabant.com" xmlUrl="http://frederickvanbrabant.com/feed.xml" type="rss" text="frederickvanbrabant.com"/> | |
| <outline htmlUrl="http://mattallan.org" title="mattallan.org" xmlUrl="http://mattallan.org/feed.xml" type="rss" text="mattallan.org"/> | |
| <outline title="asked.io" xmlUrl="https://asked.io/rss" type="rss" text="asked.io"/> |
Disclaimer: Please follow this guide being aware of the fact that I'm not an expert regarding the things outlined below, however I made my best attempt. A few people in IRC confirmed it worked for them and the results looked acceptable.
Attention: After following all the steps run gdk-pixbuf-query-loaders --update-cache as root, this prevents various gdk-related bugs that have been reported in the last few hours. Symptoms are varied, and for Cinnamon the DE fails to start entirely while for XFCE the icon theme seemingly can't be changed anymore etc.
Check the gist's comments for any further tips and instructions, especially if you are running into problems!
Results after following the guide as of 11.01.2017 13:08:
While a lot of Node.js guides recommend using JWT as an alternative to session cookies (sometimes even mistakenly calling it "more secure than cookies"), this is a terrible idea. JWTs are absolutely not a secure way to deal with user authentication/sessions, and this article goes into more detail about that.
Secure user authentication requires the use of session cookies.
Cookies are small key/value pairs that are usually sent by a server, and stored on the client (often a browser). The client then sends this key/value pair back with every request, in a HTTP header. This way, unique clients can be identified between requests, and client-side settings can be stored and used by the server.
Session cookies are cookies containing a unique session ID that is generated by the server. This session ID is used by the server to identify the client whenever it makes a request, and to associate session data with that request.
*S
| <? | |
| /** | |
| * Generates a offline-mode player UUID. | |
| * | |
| * @param $username string | |
| * @return string | |
| */ | |
| public static function constructOfflinePlayerUuid($username) { | |
| //extracted from the java code: | |
| //new GameProfile(UUID.nameUUIDFromBytes(("OfflinePlayer:" + name).getBytes(Charsets.UTF_8)), name)); |
| tar xOf dump.sql.tar.gz | mysql -u $user -p $database |
| [Default Item Styles - Schema One (dark)] | |
| Alert=ffc7626b,ffc7626b,1,,,,fffae9eb,-,,--- | |
| Annotation=ff7f8c8d,ff7f8c8d,,,,,-,-,,--- | |
| Attribute=ffe5c17c,ffe5c17c,,,,,-,-,,--- | |
| Base-N Integer=ffe5c17c,ffe5c17c,,,,,-,-,,--- | |
| Built-in=ffabb2c0,ffabb2c0,,,,,-,-,,--- | |
| Character=ff97c378,ff97c378,,,,,-,-,,--- | |
| Comment=ff4f5562,ff4f5562,,,,,-,-,,--- | |
| Comment Variable=ff7f8c8d,ff7f8c8d,,,,,-,-,,--- | |
| Constant=ffabb2c0,ffabb2c0,1,,,,-,-,,--- |