在浏览器中存储 JWT 的位置?如何防范 CSRF? [英] Where to store JWT in browser? How to protect against CSRF?
问题描述
我知道基于 cookie 的身份验证.SSL 和 HttpOnly 标志可用于保护基于 cookie 的身份验证免受 MITM 和 XSS 的影响.但是,需要采取更多特殊措施来保护它免受 CSRF 的影响.它们只是有点复杂.(参考)
I know cookie-based authentication. SSL and HttpOnly flags can be applied to protect cookie-based authentication from MITM and XSS. However, more special measures will be needed to apply in order to protect it from CSRF. They are just a bit complicated. (reference)
最近,我发现 JSON Web Token (JWT) 作为身份验证的解决方案非常热门.我知道有关编码、解码和验证 JWT 的知识.但是,我不明白为什么有些网站/教程说如果使用 JWT,就不需要 CSRF 保护.我已经阅读了很多,并试图总结以下问题.我只是希望有人提供 JWT 的更大图景,并澄清我对 JWT 的误解.
Recently, I discover that JSON Web Token (JWT) is quite hot as a solution for authentication. I know the stuff about encoding, decoding, and verifying JWT. However, I don't understand why some websites/tutorials tell that there is no need for CSRF protection if JWT is used. I have read quite a lot and have tried to summarize the problems below. I just want someone to provide a bigger picture of JWT and clarify the concepts I misunderstood about JWT.
如果 JWT 存储在 cookie 中,我认为它与基于 cookie 的身份验证相同,只是服务器不需要有会话来验证 cookie/token.如果不采取特殊措施,仍然存在 CSRF 风险.JWT 不是存储在 cookie 中的吗?
If the JWT is stored in a cookie, I think it is the same as cookie-based authentication except that the server does not need to have sessions to verify the cookie/token. There is still a risk of CSRF if no special measure is implemented. Isn't JWT stored in a cookie?
如果 JWT 存储在 localStorage/sessionStorage 中,则不涉及 cookie,因此无需防范 CSRF.问题是如何将 JWT 发送到服务器.我发现here建议使用jQuery发送JWT by ajax 请求的 HTTP 标头.那么,只有ajax请求才能进行认证吗?
If the JWT is stored in localStorage/sessionStorage, then there is no cookie involved so don't need to protect against CSRF. The question is how to send the JWT to the server. I found here that it is suggested to use jQuery to send the JWT by HTTP header of ajax requests. So, only the ajax requests can do the authentication?
另外,我又找到了一个 blog 指向使用授权标头";和承载者"发送 JWT.我不明白博客所说的方法.有人可以详细解释一下授权标头"吗?和承载者"?这是否使所有请求的 HTTP 标头传输的 JWT?如果是,那么 CSRF 呢?
Also, I found one more blog that points to use "Authorization header" and "Bearer" to send the JWT. I don't understand the method the blog talks about. Could someone please explain more about "Authorization header" and "Bearer"? Does this make the JWT transmitted by HTTP header of ALL requests? If yes, what about CSRF?
推荐答案
JWT 令牌很受欢迎,因为它们被用作新的授权和身份验证协议(如 OAuth 2.0 和 OpenID Connect.
JWT tokens are popular since they are used as the default token format in new authorization and authentication protocols like OAuth 2.0 and OpenID Connect.
当令牌存储在 cookie 中时,浏览器会自动将其与每个请求一起发送到同一个域,这仍然容易受到 CSRF 攻击.
When the token is stored in a cookie, the browser will automatically send it along with each request to the same domain and this is still vulnerable to CSRF attacks.
承载身份验证是身份验证方案中定义的一种HTTP.这基本上意味着 YOU 将 (JWT) 令牌粘贴在请求的 Authorization HTTP 标头中.浏览器不会自动为您执行此操作,因此它不适合保护您的网站.由于浏览器不会自动将标头添加到您的请求中,因此它不容易受到 CSRF 攻击,这取决于您的身份验证信息是否自动提交到原始域.
Bearer authentication is one of the authentication schemes defined in HTTP. It basically means that YOU stick the (JWT) token in the Authorization HTTP header of a request. The browser will NOT do this for you automatically, so it's not suitable for protecting your website. As the browser does not automatically add the header to your request, it is not vulnerable to a CSRF attack, which depends on your authentication info being submitted automatically to the original domain.
承载方案通常用于保护通过 AJAX 调用或移动客户端使用的 Web API(REST 服务).
The bearer scheme is often used to protect web APIs (REST services) that are consumed via AJAX calls or from mobile clients.
这篇关于在浏览器中存储 JWT 的位置?如何防范 CSRF?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
