黑客身份验证令牌 [英] Hacking authentication tokens

问题描述

假设我已经实现了基于令牌的身份验证，我所做的就是将令牌存储在WebBrowser的LocalStorage中。



一切都很好，但我没有处理黑客攻击。

我的意思是因为令牌在浏览器存储中让我们说1分钟，但黑客仍然可以在1分钟内破解它。



怎么面对？或者任何新的方法来掩盖它？



我尝试过：

尝试谷歌搜索，但没有发现任何特定的

解决方案

这取决于控制水平你有你的页面上包含的JavaScript中的内容。如果您将拥有自己的JS并且不使用任何第三方框架或库，那么本地商店就可以了。



但是，如果您认为自己可能使用外部库，则可能需要其他方法。我见过的一个有趣的问题围绕着使用httpOnly，带有嵌入式会话令牌的数字签名cookie。



我发现了一个非常全面的关于这个问题的文章和解决方案：

请停止使用本地存储 - DEV社区 [ ^ ]

Hi,

Lets say I have implemented Token based Authentication and what I do is that I store the token in LocalStorage of WebBrowser.

Everything is fine but I have not taken care of the hack.
I mean Since the token is in the browser storage for lets say 1 min but hackers can still hack it in 1 min.

How to face that ? or any new approach to cover it up ?

What I have tried:

Tried Googling but didnt find anything specific

解决方案

This depends a bit on the level of control that you have over what is in the javascript included on your page. If all you are ever going to have is your own JS and you don't use any third-party frameworks or libraries, then the local store is fine.

If you think you might ever use an external library, though, you might need another method. An interesting one I've seen revolves around the use of httpOnly, digitally-signed cookies with embedded session tokens.

I found a very comprehensive write up about the problem and solutions here:
Please Stop Using Local Storage - DEV Community[^]

这篇关于黑客身份验证令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！