在URL中传递JWT来验证用户是否安全? [英] Is that safe to pass JWT in urls to authenticate users?

问题描述

我当前的体系结构基于LDAP + JSON Web令牌认证，并且我通过URL通过以下方式传递令牌: https://myHostApp?jwt={myToken}

My current architecture is based on a LDAP + JSON Web Token authentication, and my passing Token via the URL this way : https://myHostApp?jwt={myToken}

以这种方式进行操作是否安全?还是我应该通过另一种方式来分发令牌? 还要假设已启用SSL.

Is that safe to proceed this way, or I should pass another way the Tokens? Assuming also, that SSL is enabled.

推荐答案

我不同意接受的答案. 可以肯定地说，使用HTTPS可以防止数据泄漏.但是，如果在查询字符串中设置了令牌，则可以实现许多攻击.例如:

I disagree with the accepted anwser. It is right to say that the use of HTTPS will prevent data leaks. However there are lot of attacks that are achievable if tokens are set in the query string. For example:

• 使用浏览器历史记录
• 使用透明代理

此外，每个Web服务器都会记录访问请求，因此，如果攻击者在您的服务器上获得访问权限，则所有令牌都将可用.

Furthermore, every web servers log the access requests thus, if an attacker get access on your server, all tokens will be available.

即使 RFC6750 (OAuth2承载令牌用法) DO不建议使用此传输模式.

Even the RFC6750 (OAuth2 Bearer Token Usage) DO NOT recommend the use of this transport mode.

请勿在页面网址中传递承载令牌:不应将承载令牌 传入页面URL(例如，作为查询字符串参数). 相反，承载令牌应该在HTTP消息头中传递，或者 采取机密措施的邮件正文. 浏览器，Web服务器和其他软件可能不适当 浏览器历史记录，Web服务器日志和其他中的安全URL 数据结构.如果在网页网址中传递了承载令牌， 攻击者可能能够从历史数据，日志， 或其他不安全的位置.

Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be passed in page URLs (for example, as query string parameters). Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken. Browsers, web servers, and other software may not adequately secure URLs in the browser history, web server logs, and other data structures. If bearer tokens are passed in page URLs, attackers might be able to steal them from the history data, logs, or other unsecured locations.

请注意，RFC6750引用了OAuth2 Framework协议，但不仅限于此，在Web上下文中的每次令牌传输中都应考虑使用.

Please note that the RFC6750 refers to the OAuth2 Framework protocol but is not limited to it and should be considered for every token transmission in a Web context.

这篇关于在URL中传递JWT来验证用户是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！