JWT 应该存储在 localStorage 还是 cookie 中? [英] Should JWT be stored in localStorage or cookie?

问题描述

为了使用 JWT 保护 REST API，根据一些材料(例如 指南 和这个 问题)，JWT 可以存储在 localStorage 或 Cookies 中.根据我的理解:

For the purpose of securing REST API using JWT, according to some materials (like this guide and this question), the JWT can be stored in either localStorage or Cookies. Based on my understanding:

• localStorage 受到 XSS 攻击，通常不建议在其中存储任何敏感信息.
• 通过Cookies，我们可以应用标志httpOnly"来降低 XSS 的风险.但是，如果我们要在后端从 Cookie 中读取 JWT，我们就会受到 CSRF 的约束.

• localStorage is subjected to XSS and generally it's not recommended to store any sensitive information in it.
• With Cookies we can apply the flag "httpOnly" which mitigates the risk of XSS. However if we are to read the JWT from Cookies on backend, we then are subjected to CSRF.

因此基于上述前提 - 如果我们将 JWT 存储在 Cookies 中将是最好的.在对服务器的每个请求中，JWT 将从 Cookie 中读取并使用 Bearer 方案添加到 Authorization 标头中.然后服务器可以验证请求头中的 JWT(而不是从 cookie 中读取它).

So based on the above premise - it will be best if we store JWT in Cookies. On every request to server, the JWT will be read from Cookies and added in the Authorization header using Bearer scheme. The server can then verify the JWT in the request header (as opposed to reading it from the cookies).

我的理解正确吗?如果是这样，上述方法是否有任何安全问题?或者实际上我们可以一开始就使用localStorage?

Is my understanding correct? If so, does the above approach have any security concern? Or actually we can just get away with using localStorage in the first place?

推荐答案

我喜欢@pkid169 说的文章中提到的XSRF Double Submit Cookies 方法，但是有一点文章没有告诉你.您仍然无法抵御 XSS，因为攻击者可以做的是注入读取您的 CSRF cookie(不是 HttpOnly)的脚本，然后使用此 CSRF 令牌向您的 API 端点之一发出请求，并自动发送 JWT cookie.

I like the XSRF Double Submit Cookies method which mentioned in the article that @pkid169 said, but there is one thing that article doesn't tell you. You are still not protected against XSS because what the attacker can do is inject script that reads your CSRF cookie (which is not HttpOnly) and then make a request to one of your API endpoints using this CSRF token with JWT cookie being sent automatically.

所以实际上您仍然容易受到 XSS 的影响，只是攻击者无法窃取您的 JWT 令牌供以后使用，但他仍然可以使用 XSS 代表您的用户发出请求.

So in reality you are still susceptible to XSS, it's just that attacker can't steal you JWT token for later use, but he can still make requests on your users behalf using XSS.

无论是将 JWT 存储在 localStorage 中，还是将 XSRF 令牌存储在非 http-only cookie 中，XSS 都可以轻松获取两者.甚至你在 HttpOnly cookie 中的 JWT 也可以被高级 XSS 攻击抓取.

因此，除了 Double Submit Cookies 方法之外，您还必须始终遵循针对 XSS 的最佳实践，包括转义内容.这意味着删除任何可能导致浏览器执行您不​​希望它执行的操作的可执行代码.通常这意味着删除//<![CDATA[ 标签和导致 JavaScript 被评估的 HTML 属性.

So in addition of the Double Submit Cookies method, you must always follow best practices against XSS including escaping contents. This means removing any executable code that would cause the browser to do something you don’t want it to. Typically this means removing // <![CDATA[ tags and HTML attributes that cause JavaScript to be evaluated.

这篇关于JWT 应该存储在 localStorage 还是 cookie 中?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！