如何在基于Web的应用程序中正确安全地存储JWT令牌? [英] Where to store a JWT token properly and safely in a web based application?

问题描述

我听说过有关浏览器存储和cookie的信息，但无法弄清楚存储令牌的最佳安全方法是什么.另外也不知道是否存在其他方法，或者是否有任何第三方库可以正常工作.

I've heard about browser storage and cookies but can't figure what is the best secure way to store a token. Also don't know if other methods exists, or if any third-part libraries does the work correctly.

我想详尽地列出可用的方法，以每种方法的优点/不便之处以及最好的方法(如果有的话)为基础.

I'd like to have an exhaustive list of available methods to do so, with advantages/inconvenients of each and the best way above all, if any.

推荐答案

JWT的存储位置

使用基于令牌的身份验证，可以选择存储JWT的位置.我们强烈建议您将令牌存储在本地存储/会话存储或cookie中.

Where to Store Your JWTs

With token-based authentication, you are given the choice of where to store the JWT. We strongly recommend that you store your tokens in local storage/session storage or a cookie.

通常，JWT放置在浏览器的本地存储中，并且在大多数情况下都可以很好地工作.

Commonly, the JWT is placed in the browsers local storage and this works well for most use cases.

使用用户名和密码登录用户时，响应正文包含access_token JWT.然后，您需要在客户端代码中处理此响应.然后可以将该令牌存储在localStorage或sessionStorage中.

When logging in a user with a username and password, the response body contains the access_token JWT. Then you need to handle this response in the client side code. This token can then be stored in localStorage or sessionStorage.

点击此处获取使用示例sessionStorage

localStorage和sessionStorage都扩展了Storage.它们之间的唯一区别是数据的持久性:

Both localStorage and sessionStorage both extend Storage. The only difference between them is the persistance of the data:

localStorage-数据一直保留到明确删除为止.所做的更改将被保存，并且可用于当前和将来对该网站的所有访问.

localStorage - data persists until explicitly deleted. Changes made are saved and available for all current and future visits to the site.

sessionStorage-所做的更改将被保存并且可用于当前页面，以及以后在同一窗口上对该站点的访问.关闭窗口后，存储将被删除.

sessionStorage - Changes made are saved and available for the current page, as well as future visits to the site on the same window. Once the window is closed, the storage is deleted.

• 与cookie不同，本地存储被沙箱化到特定域，并且其数据不能被任何其他域(包括子域)访问.
• 可通过同一域上的JavaScript访问Web存储，因此，您网站上运行的所有JavaScript都可以访问Web存储，因此，它很容易受到跨站点脚本(XSS)攻击.
• 开发人员必须确保JWT始终通过HTTPS发送，绝不通过HTTP发送.

您还可以使用cookie来存储JWT.设置Cookie的确切方法取决于您使用的客户端语言.

You can also use cookies to store the JWT. The exact way to set a cookie depends on the client side language you are using.

有不同的选项可以控制Cookie的生存期:

There are different options to control the lifetime of a cookie:

• 关闭浏览器后，可以销毁Cookie(会话cookie).
• 实施服务器端检查(通常由使用中的Web框架为您完成)，您可以实现过期或滑动窗口过期.
• Cookie可以永久存在(在关闭浏览器后不会销毁).
• 可以通过JavaScript和服务器端代码读取Cookie，或者如果设置了httpOnly标志，则只能通过服务器端读取.

• Cookies can be destroyed after the browser is closed (session cookies).
• Implement a server side check (typically done for you by the web framework in use), and you could implement expiration or sliding window expiration.
• Cookies can be persistent (not destroyed after the browser is closed) with an expiration.
• Cookies can be read by both the JavaScript and the server side code or only server side if the httpOnly flag is set.

• Cookie的最大大小仅为4kb，因此如果您对令牌附加了许多声明，可能会出现问题.
• Cookie可能是易受攻击的跨站点请求伪造(CSRF或XSRF)攻击.当恶意网站导致用户的网络浏览器在当前已对用户进行身份验证的受信任站点上执行有害操作时，就会发生这种类型的攻击.这是对浏览器如何处理Cookie的一种利用.使用网络应用程序框架的CSRF保护，可以使Cookie成为存储JWT的安全选项.通过检查HTTP Referer和Origin标头也可以部分阻止CSRF.
• 如果应用程序需要跨域访问，可能很难实现. Cookie具有其他属性(域/路径)，可以对其进行修改以允许您指定允许将cookie发送到的位置.

• The max size of a cookie is only 4kb so that may be problematic if you have many claims attached to the token.
• Cookies can be vulnerable cross-site request forgery (CSRF or XSRF) attacks. This type of attack occurs when a malicious web site causes a user’s web browser to perform an unwanted action on a trusted site where the user is currently authenticated. This is an exploit of how the browser handles cookies. Using a web app framework’s CSRF protection makes cookies a secure option for storing a JWT. CSRF can also be partially prevented by checking the HTTP Referer and Origin header.
• Can be difficult to implement if the application requires cross-domain access. Cookies have additional properties (Domain/Path) that can be modified to allow you to specify where the cookie is allowed to be sent.

原创文章: https://auth0.com/docs/security/store-tokens#how-to-implement

这篇关于如何在基于Web的应用程序中正确安全地存储JWT令牌?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！