使用无状态(=无会话)身份验证时需要CSRF令牌吗? [英] CSRF Token necessary when using Stateless(= Sessionless) Authentication?
问题描述
当应用程序依赖无状态身份验证(使用HMAC之类的东西)时,是否有必要使用CSRF保护?
Is it necessary to use CSRF Protection when the application relies on stateless authentication (using something like HMAC)?
示例:
-
我们只有一个页面应用程序(否则,我们必须在每个链接上附加令牌:
<a href="...?token=xyz">...</a>.
用户使用POST /auth进行身份验证.验证成功后,服务器将返回一些令牌.
The user authenticates himself using POST /auth. On successful authentication the server will return some token.
令牌将通过JavaScript存储在单页应用程序内的某个变量中.
The token will be stored via JavaScript in some variable inside the single page app.
此令牌将用于访问受限制的URL,例如/admin.
This token will be used to access restricted URLs like /admin.
令牌将始终在HTTP标头中传输.
The token will always be transmitted inside HTTP Headers.
没有Http会话,也没有Cookie.
There's NO Http Session, and NO Cookies.
据我了解,应该(?!)不可能使用跨站点攻击,因为浏览器不会存储令牌,因此它无法自动将其发送到服务器(在这种情况下会发生这种情况使用Cookie/会话).
As far as I understand, there should(?!) be no possibility to use cross site attacks, because the browser won't store the token, and hence it cannot automatically send it to the server (that's what would happen when using Cookies/Session).
我想念什么吗?
推荐答案
我使用否 cookie进行身份验证发现了有关CSRF +的一些信息:
I found some information about CSRF + using no cookies for authentication:
-
https://auth0.com/blog /2014/01/07/angularjs-authentication-with-cookies-vs-token/
由于您不依赖Cookie,因此无需防御跨站点请求"
https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/
"since you are not relying on cookies, you don't need to protect against cross site requests"
http://angular-tips.com/blog/2014 /05/json-web-tokens-introduction/
如果我们采用cookie方式,那么您确实需要执行CSRF以避免跨站点请求.这是我们在使用JWT时会忘记的事情."
(JWT = Json Web令牌,这是针对无状态应用程序的基于令牌的身份验证)
http://angular-tips.com/blog/2014/05/json-web-tokens-introduction/
"If we go down the cookies way, you really need to do CSRF to avoid cross site requests. That is something we can forget when using JWT as you will see."
(JWT = Json Web Token, a Token based authentication for stateless apps)
http://www.jamesward. com/2013/05/13/securing-single-page-apps-and-rest-services
在不冒CSRF漏洞风险的情况下,进行身份验证的最简单方法就是避免使用Cookie来识别用户"
http://www.jamesward.com/2013/05/13/securing-single-page-apps-and-rest-services
"The easiest way to do authentication without risking CSRF vulnerabilities is to simply avoid using cookies to identify the user"
http://sitr.us/2011/08/26/cookies-are-bad-for-you.html
"CSRF的最大问题是cookie绝对无法提供针对此类攻击的防御.如果您使用cookie身份验证,则还必须采取其他措施来防御CSRF.您可以采取的最基本的预防措施是确保您的应用程序从不执行任何对GET请求的响应."
http://sitr.us/2011/08/26/cookies-are-bad-for-you.html
"The biggest problem with CSRF is that cookies provide absolutely no defense against this type of attack. If you are using cookie authentication you must also employ additional measures to protect against CSRF. The most basic precaution that you can take is to make sure that your application never performs any side-effects in response to GET requests."
还有更多页面,如果您不使用Cookie进行身份验证,则表明您不需要任何CSRF保护.当然,您仍然可以将Cookie用于其他所有内容,但是避免在其中存储session_id之类的内容.
There are plenty more pages, which state that you don't need any CSRF protection, if you don't use cookies for authentication. Of course you can still use cookies for everything else, but avoid storing anything like session_id inside it.
如果您需要记住用户,则有2个选项:
If you need to remember the user, there are 2 options:
-
localStorage:浏览器内键值存储.即使用户关闭浏览器窗口,存储的数据仍然可用.其他网站无法访问该数据,因为每个网站都有自己的存储空间.
localStorage: An in-browser key-value store. The stored data will be available even after the user closes the browser window. The data is not accessible by other websites, because every site gets its own storage.
sessionStorage:也是浏览器中的数据存储.区别在于:当用户关闭浏览器窗口时,数据将被删除.但是,如果您的Web应用程序包含多个页面,它仍然很有用.因此,您可以执行以下操作:
sessionStorage: Also an in browser data store. The difference is: The data gets deleted when the user closes the browser window. But it is still useful, if your webapp consists of multiple pages. So you can do the following:
- 用户登录,然后将令牌存储在
sessionStorage中
- 用户单击一个链接,该链接将加载一个新页面(=一个 real 链接,并且没有javascript内容替换)
- 您仍然可以从
sessionStorage访问令牌
- 要注销,可以从
sessionStorage手动删除令牌,也可以等待用户关闭浏览器窗口,这将清除所有存储的数据.
- User logs in, then you store the token in
sessionStorage - User clicks a link, which loads a new page (= a real link, and no javascript content-replace)
- You can still access the token from
sessionStorage - To logout, you can either manually delete the token from
sessionStorageor wait for the user to close the browser window, which will clear all stored data.
(双方都可以在这里查看: http://www.w3schools.com/html/html5_webstorage.asp)
(for both have a look here: http://www.w3schools.com/html/html5_webstorage.asp )
令牌认证是否有任何官方标准?
Are there any official standards for token auth?
JWT (Json Web令牌):我认为它仍然是草案,但是它已经为许多人所使用,并且该概念看上去简单而安全. (IETF: http://tools.ietf.org/html/draft-ietf -oauth-json-web-token-25 )
也有很多框架可用的库.只是用谷歌搜索吧!
JWT (Json Web Token): I think it's still a draft, but it's already used by many people and the concept looks simple and secure. (IETF: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25 )
There are also libraries for lot's of framework available. Just google for it!
这篇关于使用无状态(=无会话)身份验证时需要CSRF令牌吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
