存储会话密钥的标准 [英] Standard for storing session key

问题描述

在对该主题进行了一些研究之后，似乎会话密钥通常已存储为cookie，这很好，因为它们会自动添加到请求中。我发现，由于限制较少，开发人员更喜欢使用本地存储而不是Cookie。我正在构建一个React前端，因此在本地存储中保存一个reducer并在该reducer中管理会话密钥将非常容易。我需要将此附加到请求中，这似乎是唯一的缺点。想知道是否有一个应该如何做的标准。

After doing a bit of research on this topic, it seems like session keys have typically been stored as cookies which is nice because they get automatically added to requests. I've been seeing that developers prefer localstorage to cookies due to less restrictions, though. I am building a React frontend, so persisting a reducer in localstorage and managing the session key in that reducer would be very easy. I would need to append this to requests, which seems to be the only downside. Wondering if there is a standard for how this should be done. Thank you in advance!

推荐答案

在浏览器中只能存储一些密钥：

There are only a few places you can store your keys in the browser:

1. SessionStorage / LocalStorage


2. Cookies


3. Web worker


4. 在内存中

1. SessionStorage / LocalStorage
2. Cookies
3. Web workers
4. in memory

Cookies

Cookies是放置敏感密钥的最佳位置之一拥有正确的配置/属性。其中包括 httpOnly ，安全， SameSite ，域，并确保它们在合理的时间内过期。 此处，以了解如何正确设置这些属性。

Cookies

Cookies are one of the best places to put sensitive keys as long as it has the correct configurations/attributes with them. This includes, httpOnly, secure, SameSite, Domain and making sure they expire in a reasonable time. more reading here for how to set these attributes properly.

Cookie很好用，因为它们与HTTPS一样安全，并且无法通过javascript访问（如果设置了正确的属性，例如httpOnly）。但是请注意，您仍然需要注意一些漏洞，例如CSRF攻击，并且由于cookie是由浏览器自动添加到标头中的，因此您还必须包括CSRF令牌以应对此漏洞。

Cookies are good to use since they are as secure as HTTPS and cannot be accessed via javascript (if correct atrtibutes are set i.e httpOnly). But note there are still vulnerabilities you have to watch out for such as a CSRF attack, and you would have to include a CSRF token to counter this vulnerability since the cookie gets added to the headers automatically by the browser.

LocalStorage和会话存储是保留密钥的较差的地方，因为它们可以通过javascript访问。您可以在此处中查找有关Auth0建议如何存储密钥的信息，并注意它们的说服力出于上述原因，不要将其存储在localStorage中。

LocalStorage and session storage are poor places to keep keys since they are accessible via javascript. You can look here on how Auth0 recommends to store keys, and note they persuade not to store it in localStorage for said reasons.

您可以将密钥存储在javascript存储器中（使用闭包封装密钥） ）。这有一个缺点，因为密钥在刷新/关闭/新建选项卡等之后不会一直存在，但仍然相当安全

You can store the key in javascript memory (use a closure to encapsulate your key). This has a downside as the key will not persist after refresh/close/new tab etc but is still pretty secure

Web Workers 是您可以存储密钥的另一个位置。工作者在与应用程序其余部分不同的全局范围内运行，因此可以使他们保持相当安全，并且您可以对将密钥发送给哪些API进行精细控制。

Web Workers are another place you can store the key. Workers run in a separate global scope than the rest of the application so it keeps them pretty secure, and you can have fine grain control as to what apis to send they key to.

Auth可以非常棘手，很容易忘记包含一些重要的内容，因此请确保您对所有属性以及每个元素的工作方式都有很好的了解。或使用Auth0或单次安装等预制选项。

Auth can be tricky and it can be easy to forget to include something important, so make sure you are well read on all attributes and how each piece works. Or go with a pre made options like Auth0 or single sing-on.

这篇关于存储会话密钥的标准的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！