将JWT令牌存储在cookie中 [英] Store JWT token in cookie
问题描述
这是我的设置:
- 1个身份验证服务器,该服务器在成功进行
身份验证时会发出JWT令牌。 - 提供信息的多个API资源服务器(在对用户
进行身份验证时)。
现在我想构建我的ASP.NET MVC前端。可以将身份验证后收到的令牌拿到令牌中,然后将其放入Cookie中,这样我可以在需要进行的每个安全调用中对其进行访问吗?我使用RestSharp DLL进行http调用。如果它存在安全漏洞,那么我应该在哪里存储我的令牌?
Now I want to build my ASP.NET MVC frontend. Is it ok to take the token, which I receive after authentication, and put it in a cookie so I can access it with every secured call I need to make? I use the RestSharp DLL for doing my http calls. If it has a security flaw, then where should I store my token?
我会将此代码用于Cookie:
I would use this code for the cookie:
System.Web.HttpContext.Current.Response.Cookies.Add(new System.Web.HttpCookie("Token")
{
Value = token.access_token,
HttpOnly = true
});
推荐答案
您在正确的道路上! Cookie应该始终具有 HttpOnly 标志,设置此标志将阻止JavaScript环境(在Web浏览器中)访问cookie。这是防止浏览器中XSS攻击的最佳方法。
You’re on the right path! The cookie should always have the HttpOnly flag, setting this flag will prevent the JavaScript environment (in the web browser) from accessing the cookie. This is the best way to prevent XSS attacks in the browser.
您还应该在生产环境中使用 Secure 标志,以确保Cookie仅通过HTTPS发送。
You should also use the Secure flag in production, to ensure that the cookie is only sent over HTTPS.
您还需要防止 CSRF 攻击。通常,这是通过在另一个Cookie中设置一个值来完成的,该值必须在每个请求中提供。
You also need to prevent CSRF attacks. This is typically done by setting a value in another cookie, which must be supplied on every request.
我在 Stormpath ,我们已经写了很多有关前端安全性的信息。这两篇文章可能有助于理解所有方面:
I work at Stormpath and we’ve written a lot of information about front-end security. These two posts may be useful for understanding all the facets:
https://stormpath.com/blog/build-secure-user-interfaces-using-jwts/
这篇关于将JWT令牌存储在cookie中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
