HTML5 Web存储(localStorage)是否比cookie具有安全性优势? [英] Does HTML5 web storage (localStorage) offer a security advantage over cookies?

问题描述

我一直在寻找cookie的替代方法，并且已经在此处上阅读了有关HTML5网络存储的信息. ，而且我已经在此处阅读了一个简单的解释，但我仍然不明白充分发挥作用.有人可以提供一些非技术性的解释，以便我可以理解技术性的内容.它说到浏览器必须存储键值对，但是它存储在哪里以及如何存储，为什么其他站点无法访问它?为什么不将其视为其他形式的Cookie?

I was looking up alternative to cookies and I've read about HTML5 web storage here, and I've read a simpler explanation here but I still don't get how it works fully. Can someone offer a slightly non-techinical explanation so that I can then understand the technical bits. It says about browsers having to store key value pairs but where and how is it stored and why is it inaccessible to other sites? Why isn't it considered just an other form of cookies?

1. 我正在寻找Cookie的彻底替代方案；举例来说，如果我的组织希望使用cookie来替代它的网站来替代其所有网站，那么我们是否可以轻松地对该要求说是"呢?假设只使用最新的浏览器.

1. I'm looking for a thorough and complete alternative to cookies; as in if my organisation wants to replace all it's websites from using cookies to say an alternative for say web-storage then can we easily say 'Yes' to that requirement? Let's assume only the latest browsers are used.

在以下情况下，网络存储如何以及以何种方式增强安全性 与Cookie相比?它是否有可能危及安全性 以其他方式?有没有任何现实生活经历的人 可以分享利弊吗?

How and in what ways does web-storage enhance security when compared to cookies? Does it have potential to compromise security in other ways? Is there someone with any real life experiences who can share the pros and cons?

推荐答案

localStorage和cookie之间的区别

相同来源政策保护cookie和localStorage不受无关域的访问.

The differences between localStorage and cookies

Both cookies and localStorage are protected from access by unrelated domains by the Same Origin Policy.

区别在于，只能通过JavaScript访问localStorage，而可以通过随每个HTTP请求发送的JavaScript ¹ 和访问cookie.

The difference is that localStorage is only accessible through JavaScript, whilst cookies are accessible through JavaScript¹ and sent with each HTTP request.

与cookie相比，使用localStorage没有太多安全性好处.两者之间的差异是因为目标不同:localStorage可以用于仅在JavaScript中使用的内容，而cookie可以用于在服务器上存储所需的内容(同样).

There isn't much of a security benefit of using localStorage as opposed to cookies. The difference between the two is because the goal is different: localStorage can be used for things you'll only use in JavaScript, whilst cookies can be used for storing things you need on the server (as well).

任何可以访问用户计算机浏览器的人都可以访问这两个文件，而localStorage和cookie都可以通过在网页上执行的JavaScript进行访问. (对于后者，请参见下面的异常.)

Both can be accessed by anyone that has access to the browser of a user's computer and both localStorage and cookies can be accessed by JavaScript that is executed on the web page. (For the latter, see the exception below.)

如果在浏览器控制台中输入localStorage或document.cookie，则可以看到此内容.

You can see this if you enter localStorage or document.cookie in the browser console.

1. 您可以在Cookie上设置 HTTPOnly 标志，以使其无法通过JavaScript进行访问.

1. You can set the HTTPOnly flag on a cookie so it isn't accessible through JavaScript.

如何使用localStorage

由于已经有很多有关使用localStorage的信息，因此我将只引用两个记录它的网站:

How to use localStorage

Since there is already a lot of information available on using localStorage, I will just refer to two web sites documenting it:

• Mozilla开发人员网络上的DOM存储
• 深入了解HTML5的本地存储

• DOM Storage at the Mozilla Developer Network
• Local Storage at Dive Into HTML5

数据的存储方式因浏览器而异.下面，我提供有关Mozilla Firefox如何存储cookie和本地存储的信息.

How the data is stored differs per browser. Below, I give information on how Mozilla Firefox stores cookies and local storage.

注意:有关如何查找Firefox配置文件的说明，请参见本文来自Mozilla支持.

Note: instructions on how to find your Firefox profile are available in this article at Mozilla Support.

Firefox将您的cookie存储在名为cookies.sqlite的文件中的个人资料文件夹中.这是一个 SQLite 数据库.使用 SQLiteStudio 打开文件显示数据库包含一个表moz_cookies.

Firefox stores your cookies in your profile folder in a file named cookies.sqlite. This is a SQLite database. Opening the file using SQLiteStudio shows that the database contains one table, moz_cookies.

表的结构如下:

这是我的cookies.sqlite数据库内容的一部分:

Here is a part of the contents of my cookies.sqlite database:

Firefox将您的localStorage数据存储在名为webappsstore.sqlite的文件中的个人资料文件夹中.这是一个 SQLite 数据库.使用 SQLiteStudio 打开文件显示数据库包含一个表webappsstore2.

Firefox stores your localStorage data in your profile folder in a file named webappsstore.sqlite. This is a SQLite database. Opening the file using SQLiteStudio shows that the database contains one table, webappsstore2.

表的结构如下:

列内容的结构:

• 范围:
  • <反向域名> : <协议> : <端口号>
  • scope:
    • <the domain name in reverse>:<the protocol>:<the port number>
    • 存储值的名称.
    • 储值
    • 未使用此列.
    • 未使用此列.

    这是我的webappsstore.sqlite数据库内容的一部分:

    Here is a part of the contents of my webappsstore.sqlite database:

    这与在网页 https://login.persona的控制台中键入localStorage时获得的数据相同. .

    This is the same as the data that I get when I type localStorage in the console at the web page https://login.persona.org.

    如您所见，浏览器以相同的方式存储cookie和本地存储中的数据.如果您担心存储在用户计算机上的数据的安全性，则localStorage与cookie相比不会提供没有安全性优势.

    As you can see, data from both cookies and local storage is stored by the browser in the same way. If you are concerned about the safety of data that is being stored at the user's computer, localStorage offers no security benefit over cookies.

    实际上，这甚至可能会带来更大的风险，因为您可以将Cookie设置为在一定时间后过期，而localStorage不会过期.因此，与使用Cookie相比，保存在localStorage中的数据在用户计算机上的保留时间可能更长.

    In fact, it may even be a greater risk, because you can set cookies to expire after a certain time, whilst localStorage won't expire. Thus, data saved in localStorage may remain at the user's computer for longer than if you would have if you had used cookies.

    (但是，如果只需要在单个会话的持续时间内存储数据，则可以使用sessionStorage而不是localStorage.)

    (If, however, you only need to store data for the duration of a single session, you can use sessionStorage instead of localStorage.)

    这篇关于HTML5 Web存储(localStorage)是否比cookie具有安全性优势?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！