問題描述

我熟悉 Web 存儲 API 和 cookie，但我不知道存儲身份驗證令牌的最安全方式是什么.我想知道這是否會破壞任何第三方庫.

I'm familiar with Web Storage APIs and cookies but I can't figure what is the most secure way to store an authentication token. I'm wondering if this might break any third-party libraries.

我想要一份詳盡的可用方法列表，其中包括每種方法的優缺點以及最重要的最佳方法(如果有的話).

I'd like to have an exhaustive list of available methods to do so, with the pros and cons of each and the best way above all, if any.

推薦答案

JWT 的存儲位置

使用基于令牌的身份驗證，您可以選擇存儲 JWT 的位置.我們強烈建議您將令牌存儲在本地存儲/會話存儲或 cookie 中.

Where to Store Your JWTs

With token-based authentication, you are given the choice of where to store the JWT. We strongly recommend that you store your tokens in local storage/session storage or a cookie.

通常，JWT 放置在瀏覽器本地存儲中，這適用于大多數用例.

Commonly, the JWT is placed in the browsers local storage and this works well for most use cases.

使用用戶名和密碼登錄用戶時，響應正文包含 access_token JWT.然后你需要在客戶端代碼中處理這個響應.然后可以將此令牌存儲在 localStorage 或 sessionStorage 中.

When logging in a user with a username and password, the response body contains the access_token JWT. Then you need to handle this response in the client side code. This token can then be stored in localStorage or sessionStorage.

點擊此處查看使用示例會話存儲

localStorage 和 sessionStorage 都擴展了 Storage.它們之間的唯一區別是數據的持久性:

Both localStorage and sessionStorage both extend Storage. The only difference between them is the persistance of the data:

localStorage - 數據一直存在，直到被明確刪除.所做的更改已保存，可供所有當前和將來訪問該網站的用戶使用.

localStorage - data persists until explicitly deleted. Changes made are saved and available for all current and future visits to the site.

sessionStorage - 所做的更改被保存并可用于當前頁面，以及將來在同一窗口中訪問該站點.一旦窗口關閉，存儲就被刪除了.

sessionStorage - Changes made are saved and available for the current page, as well as future visits to the site on the same window. Once the window is closed, the storage is deleted.

• 與 Cookie 不同，本地存儲被沙盒化到特定域，任何其他域(包括子域)都無法訪問其數據.
• 可通過同一域中的 JavaScript 訪問網絡存儲，因此您網站上運行的任何 JavaScript 都可以訪問網絡存儲，因此容易受到跨站腳本 (XSS) 攻擊.
• 開發人員必須確保 JWT 始終通過 HTTPS 而不是 HTTP 發送.

您還可以使用 cookie 來存儲 JWT.設置 cookie 的確切方式取決于您使用的客戶端語言.

You can also use cookies to store the JWT. The exact way to set a cookie depends on the client side language you are using.

有不同的選項可以控制 cookie 的生命周期:

There are different options to control the lifetime of a cookie:

• 可以在關閉瀏覽器后銷毀 Cookie(會話 Cookie).
• 實現服務器端檢查(通常由正在使用的 Web 框架為您完成)，您可以實現過期或滑動窗口過期.
• Cookie 可以是持久的(在瀏覽器關閉后不會被銷毀)，但會過期.
• 如果設置了 httpOnly 標志，則 JavaScript 和服務器端代碼都可以讀取 Cookie，或者只有服務器端可以讀取.

• Cookies can be destroyed after the browser is closed (session cookies).
• Implement a server side check (typically done for you by the web framework in use), and you could implement expiration or sliding window expiration.
• Cookies can be persistent (not destroyed after the browser is closed) with an expiration.
• Cookies can be read by both the JavaScript and the server side code or only server side if the httpOnly flag is set.

• cookie 的最大大小僅為 4kb，因此如果您的令牌附加了許多聲明，這可能會出現問題.
• Cookie 可能是易受攻擊的跨站點請求偽造(CSRF 或 XSRF)攻擊.當惡意網站導致用戶的 Web 瀏覽器在用戶當前已通過身份驗證的受信任站點上執行不需要的操作時，就會發生這種類型的攻擊.這是對瀏覽器如何處理 cookie 的利用.使用 Web 應用程序框架的 CSRF 保護使 cookie 成為存儲 JWT 的安全選項.CSRF 也可以通過檢查 HTTP Referer 和 Origin 標頭來部分阻止.
• 如果應用需要跨域訪問，則可能難以實施.Cookie 具有其他屬性(域/路徑)，可以對其進行修改，以允許您指定允許將 Cookie 發送到何處.

• The max size of a cookie is only 4kb so that may be problematic if you have many claims attached to the token.
• Cookies can be vulnerable cross-site request forgery (CSRF or XSRF) attacks. This type of attack occurs when a malicious web site causes a user’s web browser to perform an unwanted action on a trusted site where the user is currently authenticated. This is an exploit of how the browser handles cookies. Using a web app framework’s CSRF protection makes cookies a secure option for storing a JWT. CSRF can also be partially prevented by checking the HTTP Referer and Origin header.
• Can be difficult to implement if the application requires cross-domain access. Cookies have additional properties (Domain/Path) that can be modified to allow you to specify where the cookie is allowed to be sent.

原文:https://auth0.com/docs/security/store-tokens#how-to-implement

這篇關于在基于 Web 的應用程序中，在哪里正確、安全地存儲 JWT 令牌?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！