在哪里存储在智威汤逊浏览器？如何防止CSRF？ [英] Where to store JWT in browser? How to protect against CSRF?

问题描述

我知道基于Cookie的身份验证。 SSL和仅Http标志可用于保护基于cookie的认证由中间人和XSS。然而，将需要更多的特别措施，以保护其免受CSRF申请。他们只是有点复杂。 （参考）

近日，笔者发现，JSON网络令牌（JWT）是用于身份验证的解决方案相当火爆。我知道的编码，解码和验证JWT的东西。不过，我不明白为什么有些网站/教程告诉不需要CSRF保护如果使用智威汤逊。我读了不少，并尝试总结下面的问题。我只是希望有人能提供智威汤逊的大图片和澄清误解我对智威汤逊的概念。

1. 如果智威汤逊存储在cookie的，我觉得它是作为除了服务器并不需要有会话，以验证该cookie /令牌基于Cookie的身份验证相同。还有关于CSRF的风险，如果没有特殊的措施落实。是不是JWT存储的cookie？




2. 如果智威汤逊存储在localStorage的/ sessionStorage的，那么没有饼干所以不需要防止CRSF。现在的问题是如何将JWT发送到服务器。我发现这里使用jQuery建议通过Ajax请求的HTTP头送智威汤逊。因此，只有Ajax请求可以做认证？




3. 另外，我发现多了一个博客显示了使用Authorization头和旗手送智威汤逊。我不明白的博客谈到了方法。可能有人请解释一下Authorization头和旗手？这是否让所有的请求的HTTP头传输的智威汤逊？如果是的话，怎么样CSRF？

解决方案

，因为它们被用​​作新的授权和认证协议一样的的OAuth 2.0 和 OpenID的连接。

当令牌存储在cookie中，浏览器会自动随每个请求同一个域发送，这是仍然容易受到CSRF攻击。

承载认证是认证方案之一在HTTP 的定义。它主要是指您粘（JWT）令牌请求的授权HTTP标头。该浏览器将不是自动为您做到这一点，所以它不能用于保护您的网站。由于浏览器不会自动将头添加到您的要求，这是不容易受到CSRF攻击，这取决于您的身份验证信息被自动提交到原始域。

承载方案通常用于保护通过AJAX调用消耗或移动客户端的Web的API（REST服务）。

I know cookie-based authentication. SSL and HttpOnly flag can be applied to protect cookie-based authentication from MITM and XSS. However, more special measures will be needed to apply in order to protect it from CSRF. They are just a bit complicated. (reference)

Recently, I discover that JSON Web Token(JWT) is quite hot as an solution for authentication. I know the stuffs about encoding, decoding and verifying JWT. However, I don't understand why some websites/tutorials tell no need CSRF protection if JWT is used. I have read quite a lot and try to summarize the problems below. I just want someone can provide the big picture of JWT and clarify the concepts I misunderstood about JWT.

1. If the JWT is stored in cookie, I think it is as same as cookie-based authentication except that the server does not need to have sessions to verify the cookie/token. There is still risk about CSRF if no special measure is implemented. Isn't JWT stored in cookie?

2. If the JWT is stored in localStorage/sessionStorage, then no cookie so don't need to protect against CRSF. The question is how to send the JWT to server. I found here suggests using jQuery to send the JWT by HTTP header of ajax requests. So, only the ajax requests can do the authentication?

3. Also, I found one more blog shows to use "Authorization header" and "Bearer" to send the JWT. I don't understand the method the blog talks about. Could someone please explain more about "Authorization header" and "Bearer"? Does this make the JWT transmitted by HTTP header of ALL requests? If yes, how about CSRF?

解决方案

JWT tokens are popular since they are used as the default token format in new authorization and authentication protocols like OAuth 2.0 and OpenID Connect.

When the token is stored in a cookie, the browser will automatically send it along with each request to the same domain and this is still vulnerable to CSRF attacks.

Bearer authentication is one of the authentication schemes defined in HTTP. It basically means that YOU stick the (JWT) token in the Authorization HTTP header of a request. The browser will NOT do this for you automatically, so it's not suitable for protecting your website. As the browser does not automatically add the header to your request, it is not vulnerable to a CSRF attack, which depends on your authentication info being submitted automatically to the original domain.

The bearer scheme is often used to protect web APIs (REST services) that are consumed via AJAX calls or from mobile clients.

这篇关于在哪里存储在智威汤逊浏览器？如何防止CSRF？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！