JWT有多安全? [英] How safe is JWT?

问题描述

我正在为项目安全而学习有关JWT的知识，但是我有一个问题.如果我在登录后正确接收了令牌，但是其他地方的其他人(黑客)窃取了此特定令牌，他可以访问我的会话吗?使用JWT身份验证的服务器能够检测到这一点并保护我吗?怎么样?

解决方案

只有服务器应该知道用于生成JWT的秘密".如果有人修改了JWT中包含的数据，则服务器将无法对其进行解码.因此服务器可以信任它可以解码的任何JWT.

但是，如果黑客可以访问您的计算机，则他们可以看到存储在浏览器中的JWT并使用它.带有cookie的威胁同样存在，因此这并不是JWT的缺陷.

减轻这种威胁的一种方法是JWT的到期日期.对于银行应用程序，您的JWT可能会在几分钟后过期.对于Facebook，它可能会在几个月后过期.但是，如果有人可以访问您的浏览器，则没有防弹解决方案.

针对黑客的另一种方法是中间人"攻击，以拦截客户端和服务器之间的网络流量并获取cookie/JWT. cookie/JWT应该始终通过HTTPS发送，以防止这种情况.

重要编辑

最后，要回答标题中的问题"JWT有多安全?":这取决于您存储令牌的方式.本地存储的安全性不如使用Cookie(引用)，但cookie可能会受到 CSRF或XSRF 漏洞的利用./p>

这个答案曾经说过JWT比cookie更安全，因为cookie容易受到CSRF攻击.但是将JWT存储在本地存储中也不安全.结果，我不再将JWT存储在本地存储中，而不再使用众所周知的技术来减轻CSRF攻击.

I am learning about JWT for the security of my project, but I have a question. If I recieve the token correctly after I did the login, but someone else (hacker) in other place steals this specific token, can he access to my session? The server that use JWT authentication is able to detect this and protect me? How?

解决方案

Only the server should know the "secret" that is used to generate the JWT. If someone modifies the data contained in the JWT, the server will fail to decode it. So the server can trust any JWT that it can decode.

However, if a hacker got access to your computer, they could see the JWT that is stored in the browser and use it. This same threat exists w/cookies, so it's not really a flaw of the JWT.

One way to mitigate this threat is the expiration date of the JWT. For a banking app, your JWT might expire after a few minutes. For Facebook, it might expire after a few months. However, there's no bullet proof solution to this if someone gets access to your browser.

Another approach for hackers would be a "man in the middle" attack to intercept the network traffic between client and server and get at the cookie/JWT. The cookie/JWT should always be sent over HTTPS to prevent this.

IMPORTANT EDIT

Finally, to answer the question in your title, "How safe is JWT?": It depends on how you store the token. Local storage is not as secure as using cookies (reference) but cookies can be subject to CSRF or XSRF exploits.

This answer used to say JWT was safer than cookies, because cookies were subject to CSRF attacks. But storing JWT in local storage is not safe either. As a result, I'm no longer storing my JWT in local storage and using well known techniques to mitigate CSRF attacks.

这篇关于JWT有多安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！