在标头中发送种子密钥与仅HTTP cookie [英] Sending seesion key in the header vs HTTP-Only cookie
问题描述
我想知道在系统中发送会话密钥的最佳选择.
I would like to know the best option for sending session key in my system.
在我的系统中,有一个API服务器,供Web浏览器,命令行界面和桌面应用程序使用.它通过查看Authorization HTTP标头对用户进行身份验证.
In my system, there is an API server that is used by web browser, command line interface and desktop apps. It authenticates the user by looking at the Authorization HTTP header.
当前,浏览器将会话密钥存储在localStorage中,并将其附加在Authorization标头中,用于需要登录的请求.但是,有人指出,一种更安全的方式来存储会话密钥之类的机密方法是使用仅HTTP cookie.
Currently, the browser stores the session key in the localStorage and attaches it in the Authorization header for requests that require login. However, it was pointed out that a more secure way to store secrets such as session keys is using HTTP-Only cookies.
问题是Web浏览器客户端将无法读取仅HTTP cookie,并将会话密钥放在HTTP标头中.
The problem is that the web browser client will not be able to read the HTTP-Only cookie and put the session key in the HTTP header.
鉴于这种情况,我正在考虑扩展API服务器以使用Authorzation标头或cookie之一来授权用户.这是一个可行的选择,还有其他选择吗?
Given the situation, I am thinking about extending the API server to use either one of Authorzation header or cookie to authorize users. Is this a feasible option, and are there alternatives?
推荐答案
是的,Cookie和Authorization标头不兼容.正如您所指出的,您正在研究两个用例:一个用于浏览器使用,另一个用于API(cli,桌面应用程序).
You are right, Cookies and Authorization headers are not compatible out of the box. As you pointed out, you are looking at two use-cases: one for browser usage and another for API (cli, desktop app).
如果您想通过一个身份验证方案同时支持这两种方法,则需要做更多的工作.根据经验,浏览器可以很好地与Cookie配合使用,并且易于安全设置.您应该选择使用浏览器进行基于cookie的会话管理.
If you want to support both via a single authentication scheme, you will need to work a bit more. As a good rule of thumb, browsers work well with cookies and its easy to set it up securely. You should opt for cookie-based session management with browsers.
鉴于这种情况,我正在考虑将API服务器扩展到 使用授权标头或cookie之一来授权用户.是 这是一个可行的选择,还有其他选择吗?
Given the situation, I am thinking about extending the API server to use either one of Authorization header or cookie to authorize users. Is this a feasible option, and are there alternatives?
是的,这是可行的,它将使您的浏览器用例更加安全.至于替代方案,我整理了 Web认证指南,极大地帮助您探索选择.
Yes, this is feasible, it will make your browser use-case more secure. As for alternatives, I put together a Web Authentication Guide that will greatly assist you in exploring your options.
这篇关于在标头中发送种子密钥与仅HTTP cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
