在 JWT Payload 中存储敏感数据是否安全? [英] Is it safe to store sensitive data in JWT Payload?
问题描述
我目前正在学习使用 PHP 实现 JWT,并希望在我的 RESTful 应用程序中使用 JWT 令牌而不是会话.
I'm currently learning JWT implementation with PHP and want to use JWT tokens instead of sessions for my RESTful application.
在签名创建期间,我正在做这样的事情
During signature creation, I'm doing something like this
token = base64Header + '.' + base64Payload + '.' + signature
这里我们只是使用 base64 作为 Payload.如果我粘贴到 https://jwt.io/#debugger 之类的网站,Payload 会被解密(即使签名错误).
Here we are just using base64 the Payload. If I paste in sites like https://jwt.io/#debugger, the Payload gets decrypted (even if the signature is wrong).
我的问题,
- JWT 是否只用于发送数据时与服务器验证签名?
- 在 Payload 中保存敏感数据是否不安全?
- 如果不安全,有什么方法可以保护 Payload?
下面是我写的示例代码
<?php
$headers = base64_encode(json_encode([
"typ" => "JWT",
"alg" => "HS256"
]));
$claims = base64_encode(json_encode([
"sub" => "1234567890",
"name" => "John Doe",
"admin" => true,
"jti" => "870a3de5-ea7b-4062-abef-11180e530f5a",
"iat" => 1492603378,
"exp" => 1492606978
]));
$payload = $headers.".".$claims;
$signature = base64_encode(hash_hmac("sha256", $payload, 'secret', true));
$encodedJWT = $payload.".".$signature;
// eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImp0aSI6Ijg3MGEzZGU1LWVhN2ItNDA2Mi1hYmVmLTExMTgwZTUzMGY1YSIsImlhdCI6MTQ5MjYwMzM3OCwiZXhwIjoxNDkyNjA2OTc4fQ.nvw-bAUgr7H_xr3q8_Yz8rCNtMohtn2YlCmcLoLBWlc
推荐答案
如果我粘贴到 https://jwt.io/#debugger 之类的网站,Payload 会被解密(即使签名错误).
If I paste in sites like https://jwt.io/#debugger, the Payload gets decrypted (even if the signature is wrong).
第三方无法验证签名,因为他们没有密钥.有效载荷没有被解密 - 它被解码.
Third parties cannot verify the signature because they don't have the secret key. The payload doesn't get decrypted - it gets decoded.
理想情况下,您应该不将敏感数据存储在有效负载中,因为有效负载仅经过 base64 编码且未加密.这意味着任何持有令牌的人都可以通过简单的 base64 解码来查看负载的内容.
Ideally you should not store sensitive data in the payload since the payload is only base64 encoded and not encrypted. This means anyone who gets a hold of the token can view the contents of the payload by simply base64 decoding it.
如果您在 Web 浏览器的本地存储中有一个令牌,并且您的网站存在 XSS 漏洞,那么窃取该令牌就很容易了.攻击者拥有一个有效的 JWT(无论如何它都会很快过期)已经够糟糕了,但如果它包含敏感数据,那么你就遇到了真正的麻烦.想象一下,由于潜在的大规模泄露,必须通知您网站上的所有用户,他们现在必须更改有关自己的各种敏感数据.
If you have a token in local storage of a web browser and your site has an XSS vulnerability it makes it trivial to steal the token. It's bad enough that the attacker has a valid JWT (which will hopefully expire soon anyway) but if it contains sensitive data then you're in real trouble. Imagine having to notify all users on your site that they must now change various bits of sensitive data about themselves because of a potential mass compromise.
保持 JWT 轻量级.在系统中存储用户 ID、他们的角色/授权.如果您觉得必须将敏感数据添加到有效负载中,请尝试重新考虑您的解决方案.
Keep the JWT lightweight. Store the users ID, their roles/grants withing the system. If you feel like you have to add sensitive data to the payload try and rethink your solution.
这篇关于在 JWT Payload 中存储敏感数据是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
