如何保持状态在客户端SAFELY? [英] How to keep state at the client SAFELY?
问题描述
Following this question: Can a cookie that was generated with Javascript (not send in the header by the server) be stolen / used by an attacker?
这让我很疯狂。
如何使用FB访问令牌在客户端保存状态?
应该使用它来访问资源在自己的服务器上,也从FB服务器。假设一个人使用js框架(Backbone / Marionette)和REST认证。
它不能被这样加密,但是没有其他方法可以使用cookie来保持客户端的状态。
This is driving me crazy.
How can one ever keep state at the client using a FB access token?
One should use it to access resources on one's own server, and also from the FB server. Assuming that one uses a js framework (Backbone / Marionette) and REST authentication.
It cannot be encrypted as such, and yet there is no other way than to use a cookie to keep state at the client.
我做了大量的研究。
每个来源都提到在客户端保留状态,以避免服务器会话,但我找不到一个单一的源,解释如何安全地做。
I have done plenty of research.
Every source mentions to keep state at the client, to avoid server sessions, yet I can't find a single source that explains how to do it safely.
如果您知道答案,请分享。
谢谢。
If you know the answer, please share. Thanks.
推荐答案
您可以
您可以使用秘密密钥加密或签名数据,只有服务器知道并使用它解密/验证信息。
You can store information on the client safely if the server is delivering it.
You can encrypt or sign the data using a secret key which only the server knows and decrypt/validate the information using it.
但是,根据定义,您不能安全地存储信息,这些信息也是在客户端自身上生成的。这只是客户端自己玩。任何人都可以检查到底是什么,所以你不能使用任何密钥签名或加密任何东西,因为根据定义,如果你给每个客户端,密钥不再是秘密。您也可以不信任客户端发送到服务器的任何信息,因为客户端可以向服务器自由发送任何内容。您不能信任在客户端上运行的任何代码,因为它完全不受您的控制。
However, by definition, you cannot store information safely which is also generated on the client itself. It's just the client playing with itself. Anyone can inspect what exactly is going on, so you can't sign or encrypt anything using any secret key, because by definition the key ceases to be secret if you give it to every client. You can also not trust any information the client is sending to the server because the client is free to send anything to the server it wishes. You cannot trust any code running on the client because it is entirely out of your control.
这篇关于如何保持状态在客户端SAFELY?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
