会话存储可以安全吗? [英] Can session storage be safe?

问题描述

我只想使用会话存储来查询数据库中的用户数据一次，然后简单地使用JS来检索它，所以我正在考虑使用会话存储.我的问题是下一个，那安全吗?

I would like to use session storage to query user data in the database only once and then simply use JS to retrieve it, so I'm thinking about using session storage. My question is next, is that safe?

请注意:

1..无法将JS插入具有表单的页面(表单仅接受字母数字值)，因此它只能来自URL

1. JS can't be inserted to pages with forms (forms only accept alphanumeric values) so it can only come from URL

1.1 php中未使用诸如www.website.com/?q=blablabla之类的查询字符串(php不会从URL检索任何数据)

1.1 Query strings like www.website.com/?q=blablabla are not used in php (php doesn't retrieve any data from url)

1.2 用javascript:script ...在url中调用js并不是什么大问题，因为用户只能访问自己的数据，更不用说他已经可以访问它了-这就是用户数据点

1.2 Calling js in url with javascript:script... isn't a big concern since the user can only asccess his own data, not to mention that he can already access it - that's the point of user data

1.3 是否存在通过包含JS的链接将用户重定向到站点的第三种方法，而该JS将能够访问会话存储?即:类似-www.website.com/script ...

1.3 Is there a third way of a user being redirected to the site via a link that contains JS that will than be able to access session storage? i.e.: somthing like - www.website.com/script...

我的猜测是，只有1.3之类的东西会构成威胁(除此之外，我是否还缺少某些东西?)但是这种威胁是否存在?如果可以的话，有什么办法可以防止它?

My guess is that only something like 1.3 would be a threat (in addition to that, am I missing something?) but does that even exist? And if so is there a way to prevent it?

感谢您的时间和答复.

推荐答案

从本质上讲，您需要依靠两件事来确保会话存储安全性:

You're essentially relying on two things for session storage security:

1. 该浏览器仅限制对该域中页面上的javascript 的访问权限 为确保安全，在页面上运行的
2. javascript

1. The browser limiting access only to the javascript on the page from this domain
2. javascript that is running on the page to be secure

现在，对于No.1而言，您无能为力，因为这是供应商的问题，并且没有特别针对任何人，但是，其中大多数 通常在这类事情上都很擅长.

Now there's not a whole lot you can do about No. 1 because that's the vendor's issue and, not pointing at anyone in particular but, most of them are usually pretty good at this kind of thing.

因此，您可以肯定地确定其他任何选项卡，域，浏览器或进程上的其他代码都无法看到您的存储对象.

So you can be fairly sure no other code on any other tab, domain, browser or process is going to be able to see your storage object.

但是，第二个要困难得多，您必须自己评估页面对脚本攻击的安全性，这里有很多关于最佳实践的文档，但是您可能需要花上几天的时间.您确实需要判断数据相对于需要处理的工作量以及可能失去的功能的敏感性.

However, No. 2 is more difficult, You'll have to evaluate by yourself how secure your page is to script attacks, there's plenty of documentation out there on best practices but you could go on for days. You really need to judge how sensitive the data is versus how much work and possible loss of features it would be to secure against it.

如果它是真正敏感的数据，我会问为什么您要冒着将其存储在客户端并只能通过HTTPS访问的风险.但是，对于大多数脚本攻击，您的网站都应该处于安全状态，因为如果第三方JavaScript正在运行，会话cookie就会被抢走，因此您的服务器安全性也会受到损害.

If it's really sensitive data I'd question why you'd risk storing it client side at all and have access only through HTTPS. But you're site should be secured for most scripting attacks because if 3rd party javascript is running session cookies are up for grabs and therefore your server security is compromised too.

这篇关于会话存储可以安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！