分布式SPA应用程序中的防伪令牌 [英] Antiforgery token in a distributed SPA application

问题描述

我正在研究一个分布式高可用性单页应用程序，该应用程序可从docker节点群集中获得服务.有时节点会死掉(出于完全有效的原因，所以这不是问题).然后将所有客户端无缝地重新路由到其他节点之一.不幸的是，它们的所有XSRF令牌都无效，因为它们存储在客户端的内存中.

I am working on a distributed high availability single-page-application which gets served from a cluster of docker nodes. Occasionally a node will die (for perfectly valid reasons, so that is not the issue). All the clients get then seamlessly rerouted to one of the other nodes. Unfortunately, all of their XSRF tokens are then invalid, as they were stored in memory in the client.

因此，问题是我们如何在基于* nix的设置中分配当前XSRF令牌的存储空间?

推荐答案

总结我的评论:

仅当您使用Cookies进行身份验证时，XSRF/CSRF才可能.它允许攻击者将用户引诱到伪造的页面，该页面将攻击者填充的数据或通过调用图像标签中的脚本(通常是隐藏的)表单重定向到您的网站(如果get请求具有副作用，应避免)，即

XSRF/CSRF is only possible when you use Cookies for authentication. It allows attackers to lure users to a fake page which redirects a (typically hidden) form to your website with data filled by the attacker or by calling scripts in image tags (if get requests have side-effects, which should be avoided) , i.e.

<image src="http://yourdomain.com/user/5/delete"/>

当您使用SPA(单页应用程序，用JavaScript编写的应用程序仅由初始请求加载，而其他所有调用均通过Ajax/JavaScript进行加载)时，通常会使用访问令牌(不透明令牌或jwt代币)进行身份验证.

When you use SPA (Single Page Application, Applications written in JavaScript where they are loaded only by the initial request and every other call happens via Ajax/JavaScript), then you would typically use Access Tokens (opaque token or jwt tokes) to authenticate.

只有在使用cookie身份验证的情况下，每个请求发送令牌才不会受到XSRF的攻击. ASP.NET Core文档明确指出:

Sending Tokens with each request is not vulnerable to XSRF, only if you use cookie authentication. The ASP.NET Core documentation explicitly states that:

https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery

某些攻击的目标是响应GET请求的站点终结点，在这种情况下，可以使用图像标签执行操作(这种攻击形式在允许图像但阻止JavaScript的论坛站点上很常见).通过GET请求更改状态的应用程序容易受到恶意攻击.

Some attacks target site endpoints that respond to GET requests, in which case an image tag can be used to perform the action (this form of attack is common on forum sites that permit images but block JavaScript). Applications that change state with GET requests are vulnerable from malicious attacks.

CSRF攻击是可能的，因为浏览器会将所有相关的cookie发送到目标网站.但是，CSRF攻击不仅限于利用Cookie.例如，基本身份验证和摘要身份验证也很容易受到攻击.用户使用基本或摘要身份验证登录后，浏览器会自动发送凭据，直到会话结束.

CSRF attacks are possible against web sites that use cookies for authentication, because browsers send all relevant cookies to the destination web site. However, CSRF attacks are not limited to exploiting cookies. For example, Basic and Digest authentication are also vulnerable. After a user logs in with Basic or Digest authentication, the browser automatically sends the credentials until the session ends.

这篇关于分布式SPA应用程序中的防伪令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！