在浏览器中存储 JWT 的位置?如何防范CSRF? [英] Where to store JWT in browser? How to protect against CSRF?
问题描述
我知道基于 cookie 的身份验证.SSL 和 HttpOnly 标志可用于保护基于 cookie 的身份验证免受 MITM 和 XSS.但是,需要采取更多特殊措施来保护它免受 CSRF 的影响.它们只是有点复杂.(参考)
I know cookie-based authentication. SSL and HttpOnly flags can be applied to protect cookie-based authentication from MITM and XSS. However, more special measures will be needed to apply in order to protect it from CSRF. They are just a bit complicated. (reference)
最近,我发现 JSON Web Token (JWT) 作为身份验证解决方案非常流行.我了解有关编码、解码和验证 JWT 的知识.但是,我不明白为什么有些网站/教程说如果使用 JWT 就不需要 CSRF 保护.我已经阅读了很多,并试图总结以下问题.我只是希望有人提供 JWT 的大图,并澄清我对 JWT 的误解.
Recently, I discover that JSON Web Token (JWT) is quite hot as a solution for authentication. I know the stuff about encoding, decoding, and verifying JWT. However, I don't understand why some websites/tutorials tell that there is no need for CSRF protection if JWT is used. I have read quite a lot and have tried to summarize the problems below. I just want someone to provide a bigger picture of JWT and clarify the concepts I misunderstood about JWT.
如果JWT存储在cookie中,我认为它与基于cookie的身份验证相同,只是服务器不需要会话来验证cookie/token.如果不采取特殊措施,仍然存在CSRF的风险.JWT 不是存储在 cookie 中的吗?
If the JWT is stored in a cookie, I think it is the same as cookie-based authentication except that the server does not need to have sessions to verify the cookie/token. There is still a risk of CSRF if no special measure is implemented. Isn't JWT stored in a cookie?
如果 JWT 存储在 localStorage/sessionStorage 中,则不涉及 cookie,因此不需要针对 CSRF 进行保护.问题是如何将 JWT 发送到服务器.我发现 here 建议使用 jQuery 发送JWT 通过 ajax 请求的 HTTP 标头.那么,只有ajax请求才能进行认证?
If the JWT is stored in localStorage/sessionStorage, then there is no cookie involved so don't need to protect against CSRF. The question is how to send the JWT to the server. I found here that it is suggested to use jQuery to send the JWT by HTTP header of ajax requests. So, only the ajax requests can do the authentication?
另外,我还发现了一个博客 指向使用授权标头";和承载者"发送 JWT.我不明白博客谈论的方法.有人可以解释更多关于授权标头"的信息吗?和承载"?这是否使 JWT 由所有请求的 HTTP 标头传输?如果是,CSRF 怎么样?
Also, I found one more blog that points to use "Authorization header" and "Bearer" to send the JWT. I don't understand the method the blog talks about. Could someone please explain more about "Authorization header" and "Bearer"? Does this make the JWT transmitted by HTTP header of ALL requests? If yes, what about CSRF?
推荐答案
JWT 令牌很受欢迎,因为它们在诸如 OAuth 2.0 和 OpenID Connect.
JWT tokens are popular since they are used as the default token format in new authorization and authentication protocols like OAuth 2.0 and OpenID Connect.
当令牌存储在 cookie 中时,浏览器会自动将它与每个请求一起发送到同一个域,这仍然容易受到 CSRF 攻击.
When the token is stored in a cookie, the browser will automatically send it along with each request to the same domain and this is still vulnerable to CSRF attacks.
Bearer 身份验证是在HTTP.这基本上意味着您将 (JWT) 令牌粘贴到请求的 Authorization HTTP 标头中.浏览器将不会自动为您执行此操作,因此它不适合保护您的网站.由于浏览器不会自动将标头添加到您的请求中,因此它不容易受到 CSRF 攻击,这取决于您的身份验证信息是否自动提交到原始域.
Bearer authentication is one of the authentication schemes defined in HTTP. It basically means that YOU stick the (JWT) token in the Authorization HTTP header of a request. The browser will NOT do this for you automatically, so it's not suitable for protecting your website. As the browser does not automatically add the header to your request, it is not vulnerable to a CSRF attack, which depends on your authentication info being submitted automatically to the original domain.
承载方案通常用于保护通过 AJAX 调用或移动客户端使用的 Web API(REST 服务).
The bearer scheme is often used to protect web APIs (REST services) that are consumed via AJAX calls or from mobile clients.
这篇关于在浏览器中存储 JWT 的位置?如何防范CSRF?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
