使用无状态(= 无会话)身份验证时是否需要 CSRF 令牌? [英] CSRF Token necessary when using Stateless(= Sessionless) Authentication?

问题描述

当应用程序依赖于无状态身份验证(使用 HMAC 之类的东西)时，是否需要使用 CSRF 保护?

Is it necessary to use CSRF Protection when the application relies on stateless authentication (using something like HMAC)?

示例:

• 我们有一个单页应用程序(否则我们必须在每个链接上附加令牌:<a href="...?token=xyz">...</a>.

用户使用 POST/auth 验证自己.成功验证后，服务器将返回一些令牌.

The user authenticates himself using POST /auth. On successful authentication the server will return some token.

令牌将通过 JavaScript 存储在单页应用程序内的某个变量中.

The token will be stored via JavaScript in some variable inside the single page app.

此令牌将用于访问受限制的 URL，例如 /admin.

This token will be used to access restricted URLs like /admin.

令牌将始终在 HTTP 标头中传输.

The token will always be transmitted inside HTTP Headers.

没有 Http 会话，也没有 Cookie.

There's NO Http Session, and NO Cookies.

据我所知，应该(?！)不可能使用跨站点攻击，因为浏览器不会存储令牌，因此它不能自动将它发送到服务器(这就是当使用 Cookies/Session).

As far as I understand, there should(?!) be no possibility to use cross site attacks, because the browser won't store the token, and hence it cannot automatically send it to the server (that's what would happen when using Cookies/Session).

我错过了什么吗?

推荐答案

我找到了一些关于 CSRF + using no cookies for authentication 的信息:

I found some information about CSRF + using no cookies for authentication:

1. https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/
   由于您不依赖 cookie，因此您无需防范跨站点请求"

1. https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/
   "since you are not relying on cookies, you don't need to protect against cross site requests"

http://angular-tips.com/blog/2014/05/json-web-tokens-introduction/
"如果我们采用 cookie 的方式，你真的需要做 CSRF 来避免跨站点请求.正如您将看到的，这是我们在使用 JWT 时可以忘记的事情."
(JWT = Json Web Token，一种基于 Token 的无状态应用身份验证)

http:///www.jamesward.com/2013/05/13/securing-single-page-apps-and-rest-services
在不冒 CSRF 漏洞风险的情况下进行身份验证的最简单方法是避免使用 cookie 来识别用户"

http://www.jamesward.com/2013/05/13/securing-single-page-apps-and-rest-services
"The easiest way to do authentication without risking CSRF vulnerabilities is to simply avoid using cookies to identify the user"

http://sitr.us/2011/08/26/cookies-are-bad-for-you.html
CSRF 的最大问题是 cookie 完全无法防御此类攻击.如果您使用 cookie 身份验证，您还必须采取其他措施来防止 CSRF.您可以采取的最基本的预防措施是确保您的应用程序永远不会在响应 GET 请求时执行任何副作用."

http://sitr.us/2011/08/26/cookies-are-bad-for-you.html
"The biggest problem with CSRF is that cookies provide absolutely no defense against this type of attack. If you are using cookie authentication you must also employ additional measures to protect against CSRF. The most basic precaution that you can take is to make sure that your application never performs any side-effects in response to GET requests."

还有很多页面表明，如果您不使用 cookie 进行身份验证，则不需要任何 CSRF 保护.当然，您仍然可以将 cookie 用于其他所有内容，但避免在其中存储诸如 session_id 之类的内容.

There are plenty more pages, which state that you don't need any CSRF protection, if you don't use cookies for authentication. Of course you can still use cookies for everything else, but avoid storing anything like session_id inside it.

如果您需要记住用户，有两个选项:

If you need to remember the user, there are 2 options:

1. localStorage:浏览器内的键值存储.即使在用户关闭浏览器窗口后，存储的数据也将可用.其他网站无法访问这些数据，因为每个网站都有自己的存储空间.

1. localStorage: An in-browser key-value store. The stored data will be available even after the user closes the browser window. The data is not accessible by other websites, because every site gets its own storage.

sessionStorage:也是浏览器数据存储.区别在于:当用户关闭浏览器窗口时，数据会被删除.但如果您的 web 应用程序由多个页面组成，它仍然很有用.因此，您可以执行以下操作:

sessionStorage: Also an in browser data store. The difference is: The data gets deleted when the user closes the browser window. But it is still useful, if your webapp consists of multiple pages. So you can do the following:

• 用户登录，然后将令牌存储在 sessionStorage
• 用户点击一个链接，加载一个新页面(=一个真实链接，没有javascript内容替换)
• 您仍然可以从 sessionStorage
访问令牌
• 要注销，您可以手动从 sessionStorage 中删除令牌或等待用户关闭浏览器窗口，这将清除所有存储的数据.
• User logs in, then you store the token in sessionStorage
• User clicks a link, which loads a new page (= a real link, and no javascript content-replace)
• You can still access the token from sessionStorage
• To logout, you can either manually delete the token from sessionStorage or wait for the user to close the browser window, which will clear all stored data.

(两者都看这里:http://www.w3schools.com/html/html5_webstorage.asp )

token auth 是否有任何官方标准?

Are there any official standards for token auth?

JWT(Json Web Token):我认为它仍然是一个草案，但它已经被很多人使用，这个概念看起来简单而安全.(IETF:https://datatracker.ietf.org/doc/html/draft-ietf-oauth-json-web-token-25 )
还有许多可用的框架库.只需谷歌一下！

JWT (Json Web Token): I think it's still a draft, but it's already used by many people and the concept looks simple and secure. (IETF: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-json-web-token-25 )
There are also libraries for lot's of framework available. Just google for it!

这篇关于使用无状态(= 无会话)身份验证时是否需要 CSRF 令牌?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！