在Local Stoarge或会话存储中存储敏感数据是否安全? Localstorage允许对敏感数据进行任何攻击 [英] Is it safe to store a sensitive data in Local Stoarge or session storage? Localstorage allows to any attacks for sensitive data
问题描述
在Web应用程序中,Html5中本地存储的安全性如何,或者是否有其他方法可以保护本地存储中的敏感数据。
In web application , How secure is local storage in Html5 or else is there any other way to secure the sensitive data in local storage.
项目结构:
前端:Html5,Angular js, Middletier: Asp.net webApi, BackEnd :Sql Server。
Front End: Html5,Angular js, Middletier: Asp.net webApi , BackEnd :Sql Server.
用户登录页面后,使用一些加密算法对凭证进行加密。它将存储在数据库中。
Once user login into the page, that credentials is encrypted by using some cryptography algorithms.It will be stored in db.
之后,每个子项操作如产品列表,订单详细信息,书籍历史记录,添加产品需要验证。
After that every child action like products list, order details, book history ,add product need to validate that.
在页面后刷新时,数据会丢失所以需要坚持数据,所以我选择localstorage。存储了使用一些js算法加密的用户名和密码,并存放在本地存储中。
While refresh after the page, data gets lossed so need to persist the data so i have choose localstorage. stored the username and password encrypted using some js algorithms and in put in local storage.
我觉得它不安全,因为任何人都可以从浏览器窃取数据工具。
I feel it as not safe , because of any one can steal the data from the browser tools.
在这种情况下是否有其他替代方法,否则这种方法是安全的。
Is there any alternative approach in this scenario or else this approach is secure.
任何人都可以提供帮助我要处理。
can anyone help me to process.
推荐答案
每个Webapp Craftsman都必须知道:
There is something that every Webapp Craftsman must know:
防火墙之外没有可以完全安全的存储库。为什么?因为每个人都可以访问您需要允许应用程序操作数据的打开的门。
There is no repository beyond your firewall that can be fully secure. Why? Because the open door that you NEED to allow your application manipulate the data is accessible to everyone.
想象一下,您决定加密本地存储的内容。
这将阻止有权访问浏览器本地存储的人(例如开发人员工具)能够读取/写入数据。但您的应用程序将如何访问数据?您有两种选择:
This will prevent someone with access to the browser's local storage (e.g. the developer tool) to be able to read/write the data. But how your application will access the data? You have two options:
- 在客户端应用中发送加密算法+密码短语。如果有人设法阅读您的应用程序代码并访问浏览器内存(例如开发人员工具),这将公开您的所有数据。
- 从客户端发送每个数据 - 那边要解密的服务器。嗯......这没有意义。最好将数据存储在服务器中。
- Send the encryption algorithm + passphrase within the client-side app. This will expose all your data if someone manage to read the code of your app and access to memory of the browser (e.g. the developer tool)
- Send every data from the client-side to the server to be decrypted there. Well ... this is pointless. Is better to store the data in the server for that matter.
你可以尝试尽可能多的,你需要一个开放的门,这个敞开的门可供任何人使用。
You can try as much as you want, you will need an open door, and that open door can be use by anyone.
但我有一个问题:你真的需要一个完全安全的客户端存储库吗?这种存储库不是为了完全安全而创建的,但它们足够安全!
But I've a question for you: Do you really need a fully secure repository in the client side? This kind of repository weren't created for be fully secure, but they are secure enough!
例如,您的Web应用程序的会话cookie由浏览器存储?如果有人窃取了该cookie,它可以冒充用户,您的应用程序将永远不会注意到它,对吧?当你想到它时,这是非常可怕的。
For example, the session cookie of your web app is stored by the browser right? And if someone steal that cookie, it can impersonate the user and your application will never notice it, right? This is pretty scary when you think about it.
如今,没有人会对此深思熟虑,因为浏览器足以保护cookie免受恶意访问。当然,他们也是这样做的,以保护本地本地/会话存储,IndexedDB,WebSQL等。
Nowadays nobody put to much thinking on this because browsers are secure enough to protect cookies from malicious access. And of course, they did the same to protect the local local/session storage, IndexedDB, WebSQL, etc.
因此,如果您的数据比您的用户会话更珍贵,将它保存在服务器中。如果没有,请继续将其放入浏览器中。
So, if your data is more precious than your user session, keep it in the server. If not, go ahead and put it in the browser.
PRO TIP:在无安全存储库中存储时考虑加密使其更难要得到。但请记住,这需要付出代价:您将无法使用这些存储库的查询系统来搜索加密数据。
PRO TIP: Consider encryption when storing in a no secure repository to make it harder to get. But remember that this comes at a price: you will not be able to use the query system of those repositories to search over encrypted data.
这篇关于在Local Stoarge或会话存储中存储敏感数据是否安全? Localstorage允许对敏感数据进行任何攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
