会话和基于令牌的身份验证之间的技术差异 [英] Technical difference between session and token based auth

问题描述

我正在写我的单身汉，需要找出哪种认证/授权方法最适合与我合作的公司.

Im writing my bachelors in which i need to figure out which authentication/authorization method fits best with the company i'm collaborating with.

因此，我一直在比较基于会话和基于令牌的auth方法，但是对于令牌的工作原理以及它们比会话身份验证如何好，我仍然不清楚一些要点:

So i've been comparing the session and token based auth methods but there are a few points that are unclear to me about how tokens work and how they are better than session authentication:

对我而言，唯一显而易见的好处是，可以从没有cookie存储的客户端中使用令牌，并且可以将令牌与不同的子域和完全独立的域一起使用，因为这不会阻止浏览器CORS政策.

The only benefits that are 100% clear to me are that tokens can be used from clients that doesn't have a cookie store and that they can be used with different sub domains and completely separate domains because it's not prevented the browsers CORS policy.

• 我读到所有cookie都随每个请求发送到原始域(除非将cookie设置为仅通过安全连接发送)，这意味着令牌将在请求中出现两次，除非当然，您对另一个域的用户进行身份验证.这是正确的假设吗?
• 如何在服务器端验证令牌?解密后，是否会根据用户名，密码和私钥/私钥进行检查，还是仅在此处使用的私钥/私钥?
• 如果我在未对它们进行身份验证的服务器上为某个资源进行授权时需要用户名/用户ID，如果我没有要检查的原始用户数据，我可以盲目地信任那些凭据吗?

最后，许多文章声称令牌可以抵御CSRF.

Finally, many articles claim that tokens protect against CSRF.

来自本文:

CSRF:我们还将提供针对跨站点请求伪造(CSRF)的保护.用户很容易受到CSRF攻击，因为他们已经可以通过银行站点进行身份验证，并且可以在访问其他站点时加以利用."

CSRF: We will also have protection against cross-site request forgery (CSRF). Users are susceptible to CSRF attacks since they can already be authenticated with say a banking site and this could be taken advantage of when visiting other sites."

这对我完全没有意义.似乎他是在说类似OAuth的系统会阻止CSRF?我对CSFR的工作原理一无所知，所以在这里可能是空白的我，但据我所知，会话或令牌都无法防止这种情况发生，因为每个请求都不是唯一的.

Which makes absolutely no sense to me. It seems like he's saying that a OAuth like system prevents CSRF? I don't know a lot about how CSFR works, so it might just be me that is blank here, but as far as i understand neither sessions or tokens protect against this since neither are unique to each request.

修改: 我刚刚意识到令牌可能阻止CSFR的原因是，如果另一个站点设法从浏览器向服务器提交表单，则浏览器不会自动发送该令牌.但是，这意味着如果从服务器上的cookie头中提取令牌，则很容易受到攻击，如果使用JWT，则不会出现问题，因为它使用了自己的"Authorization"头，必须与JS一起设置. 但这仍然使scotch.io文章对我来说听起来像是胡说八道.

I just realized the reason tokens may prevent CSFR is that it's not automatically sent by the browser if another site manages to submit a form to your server from your browser. But this means tokens can be susceptible if pulled from the cookie header on the server, which if you use JWT should not be a problem since it uses it's own "Authorization" header, which you must set with JS. But this still makes the scotch.io articles claim sound like nonsense to me.

推荐答案

检查 Cookies与令牌:权威指南，对传统的基于cookie的身份验证系统和最新的基于令牌的系统的特征进行了很好的总结.

Check Cookies vs Tokens: The Definitive Guide for a good summary on the characteristics of traditional cookie-based authentication systems and the more recent token-based system.

TL; DR令牌为基础的身份验证比以往任何时候都更加重要.我们研究了cookie和基于令牌的身份验证之间的异同，使用令牌的优势，并解决了开发人员对基于令牌的身份验证的常见问题和担忧.

TL;DR Tokens-based authentication is more relevant than ever. We examine the differences and similarities between cookie and token-based authentication, advantages of using tokens, and address common questions and concerns developers have regarding token-based auth.

我不是这个确切术语的忠实拥护者，因为您实际上放置在Cookie中的内容也可以被视为令牌；在大多数情况下，它是一个映射到某些服务器端数据的按引用令牌，而所谓的基于令牌的身份验证则倾向于按值令牌(JWT-

I'm not a big fan of this exact terminology because what you actually place within a cookie can also be considered a token; most of the times it's a by-reference token that maps to some server-side data while the so called token-based authentications favors by-value tokens (JWT - Learn JSON Web Tokens) that carry the data within the token itself.

JSON Web令牌(JWT)是一个开放标准(RFC 7519)，它定义了一种紧凑且自包含的方式，用于在各方之间安全地将信息作为JSON对象传输.此信息是经过数字签名的，因此可以验证和信任.

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

这些按值令牌的验证是通过签名来完成的，这些签名可确保令牌是由持有在签名期间使用的关联密钥的实体创建的，并且在不了解密钥的情况下，其他任何人都无法篡改内容.这个前提是信任收到的令牌的基础.

The validation of these by-value tokens is accomplished by signatures that ensure that the token was created by the entity holding the associated key used during signing and that the contents cannot be tampered by anyone else without knowledge of the key. This premise is the foundation to trust the received tokens.

相对于CSRF，确实是基于令牌的系统可以缓解这种情况，因为与cookie所发生的情况相反，浏览器不会自动发送这些令牌凭据(假定令牌不是包含在请求中作为Cookie).

In relation to CSRF, it's true that a token-based system will mitigate this because to the contrary to what happens with cookies, the browser will not automatically send these token credentials (assumes tokens are not included in the request as cookies).

想象一下，应用程序CK公开受会话cookie保护的资源，应用程序TK公开受令牌保护的资源.

Imagine the following, application CK exposes resources protected with session cookies and application TK exposes resources protected with tokens.

用户X在两个应用程序中都进行身份验证，因此将为应用程序CK发出会话cookie，并为应用程序TK发出令牌.如果攻击者创建了恶意站点EV并诱骗用户X对其进行访问，它可以从用户的浏览器中向应用程序CK和TK进行自动请求.

User X authenticates in both applications and as such will be issued a session cookie for application CK and a token for application TK. If an attacker creates an evil site EV and tricks user X into visit it, it can perform automatic requests to both application CK and TK from within the user's browser.

但是，对于应用程序CK，用户X的浏览器将自动包含会话cookie，因此，恶意站点EV刚刚访问了受保护的资源，而对于应用程序TK的请求，浏览器将不会自动添加令牌.

However, for application CK the browser of user X will automatically include the session cookie and as such evil site EV just accessed a protected resource, while for the request to application TK the browser will not include the token automatically.

这篇关于会话和基于令牌的身份验证之间的技术差异的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！