您不应该做一个登录的页面角，因为相关的一切数据由JavaScript可以很容易被停止，调试和分析处理上。

You should not do a login on an angular page since everything data related is handled by javascript which can easily be stopped, debugged and analyzed.

更好的方法是：

1. 创建一个正常的index.php其中presents登录形式提供给用户。


2. 在提交检查的有效性与您的数据库。


3. 如果用户是有效的实际角度应用页面启动一个会话和头。


4. 来检查，如果这是一个有效的 PHP会话的唯一方式是在 REST 通过角调用 HTTP 服务到你的数据库相关的PHP脚本。


5. 所以你的 REST API每读/写访问应该检查，如果用户真的允许PHP脚本做这个数据库操作。


6. 如果检查失败，头返回到登录页面或一些得了你！页。

1. Create a normal index.php which presents a login form to the user.
2. On submit check for validity with your database.
3. If user is valid start a session and header on to the actual angular app page.
4. The only way to check if this is a valid php session is in your REST calls via angular http service to your database related php scripts.
5. So every read/write access to your REST api should check, if this user is really allowed to do this db operation in the php script.
6. If the check fails, header back to the login page or some "Got you!" page.

这方式attackor可能能够看到的角应用程序的JS code（如果他被以某种方式持有的实际地址），但它是完全没用的，他的，因为他永远无法看到实际的数据，只要因为他还没有开始一个有效的 PHP会话。而数据是​​你想要的保护，应用程序的不是脚本。

This way the attackor may be able to see the js code of the angular app (if he gets somehow hold of the actual address) but it's completely useless to him, cause he can never see the actual data as long as he hadn't started a valid php session. And the data is what you want to protect, not the script of the app.

在一言以蔽之：混合标准的PHP验证和角度。允许haxors到你的页面，但永远，永远向他们展示你的任何基础数据。只要有人试图乱用您的数据，踢他出去。

In a nutshell: Mix standard PHP validation AND Angular. Allow haxors to get to your page, but never, ever show them any of your underlying data. As soon as someone tries to mess with your data, kick him out.

这是几乎相同的答案我给here

This is nearly the same answer i gave here

搜索两个PHP标记关键字和网站的角度把握的想法背后。

Search for the marked keywords in both PHP and Angular sites to grasp the idea behind this.