如何防止使用被盗令牌进行Rest Web服务身份验证 [英] How to prevent Rest web-service Authentication with stolen Token

问题描述

我们知道Rest服务是无状态的，进行身份验证的通用策略是使用基于令牌的身份验证.

As we know Rest services are stateless, General strategies to authenticate is using a token based authentication.

在登录服务中，它需要返回令牌的凭据.

In login service it takes credentials which returns a token.

此令牌可能在客户端cookie中设置，并且所有后续请求都使用此令牌进行验证，如果令牌有效，则处理新请求.

This token might be set in client cookies, and all subsequent requests uses this token to be validated and process new request if token is valid.

现在我的问题是如何验证令牌?如果有人窃取了令牌并试图通过仅编辑cookie来尝试使用窃取的令牌来访问其他服务，那么如何识别和限制令牌呢?

Now my question is how one can validate the token ? If someone has stolen the token and tries to access rest services with stolen token by just editing cookies then how can it be identified and restricted ?

我们永远无法知道令牌是否由有效用户获取，并且同一用户正尝试访问后续请求.但是有什么可能的方法使它变得更困难，例如验证请求是否来自同一来源?

We can never know if the token is fetched by valid user and same user is trying to access subsequent request. but what are the possible ways to make it more hard, like to verify if the request has came from same source ?

一个普遍的建议是设置令牌/cookie的老化时间，但是直到令牌/cookie的老化时间仍然无济于事.

One general suggestion is to set aging for token/cookies, but it still not helpful till the age of that token/cookies.

任何建议将不胜感激.

Any suggestions would be appreciated.

推荐答案

在尝试了各种方法之后，我们找到了以下解释的解决方案:

After struggling through various approach We found a solution explained below:

1. 我们根据登录请求将令牌(加密的)存储在cookie中，并且对于每个后续请求，此cookie都会得到验证.
2. 问题是，是否有人将cookie中的令牌替换为另一个有效令牌，因为cookie是由客户端浏览器维护的.

解决方案:->尽管令牌值已加密，但它仅代表一个值，因此，如果将一个完整的加密值替换为另一个有效的加密值，则它可能会被黑客入侵.

Solution :-> Though token values were encrypted, it was representing only one value, So if one replace whole encrypted value with another valid encrypted value it can be hacked.

因此，为解决此问题，我们添加了另一个cookie，该cookie是多个值的组合.

So to solve this we have added another cookie which was combination of multiple values.

例如

Cookie 1->加密令牌

Cookie 1 -> encrypted token

Cookie 2->一个加密的对象，其中包含诸如用户名+其他用户上下文详细信息+令牌之类的信息

Cookie 2 -> An encrypted object containing information like username+ some other user context details+token

因此对于Cookie 1，很容易用另一个加密值替换，因为尽管它是加密的，但它仅表示一个令牌.

So in case of Cookie 1, it was easy to replace with another encrypted value as it was representing only one token though it was encrypted.

但是对于Cookie 2，它包含具有多个值的对象，因此仅令牌值不能被修改，加密和设置在同一Cookie中.

But in case of Cookie 2, it was containing object with multiple values, so only token value can not be modified, encrypted and set back in same cookie.

在身份验证之前，我们正在解密整个cookie 2，从中获取令牌部分，并针对cookie 1验证其令牌部分.

Before authentication We are doing decryption whole cookie 2, fetch token part from it and validate the token part of it against cookie 1.

那解决了我们的问题！！

That has solved our problem !!

感谢您的时间和指导.

这篇关于如何防止使用被盗令牌进行Rest Web服务身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！