如何保护访问令牌 [英] How can I secure access token

问题描述

How can I secure access token ? I can take token value and cookie identity from browser which signed and have valid token, to another brwoser and access authority actions?

我尝试过：

What I have tried:

How can I secure access token ? I can take token value and cookie identity from browser which signed and have valid token, to another brwoser and access authority actions?

推荐答案

如果这就是安全性的实施方式。然后是的，如果你能够让你的cookie在其他浏览器中工作，或者你的用户可以复制存储在cookie中的数据，那么它就是如何工作的，那么他们就可以从任何地方访问他们的会话。



除此之外，最好只在cookie中存储访问令牌（而不是UserID），然后每隔一段时间刷新一次cookie。甚至尝试嵌入有关用户代理，系统和其他内容的一些信息，以便您可以防止篡改cookie并重用它。



阅读以下内容以获取更多相关信息，

security - 如何通过简单地将cookie从机器复制到另一个来防止会话劫持？ - 堆栈溢出 [ ^ ]

如何实现cookie和会话以防止在其他地方重用 - 信息安全堆栈交换 [ ^ ] br />


安全性本身就是一个很大的话题。

If that is how the security is implemented. Then yes, that is how it will work if you are able to have your cookie work in other browsers, or your users can replicate the data stored in the cookies, then they can access their sessions from anywhere.

Instead of this, it is best to only store an access token in the cookie (not the UserID), and then refresh the cookie at intervals. Even try to embed some information about the user agent, system and other stuff so that you can prevent the tampering of the cookie and reuse of it.

Read these for a bit more information on this,
security - How do I prevent session hijacking by simply copy a cookie from machine to another? - Stack Overflow[^]
How do cookie and session implement for preventing reuse elsewhere - Information Security Stack Exchange[^]

Security is a huge topic in its own.

这篇关于如何保护访问令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！