JWT 的安全性如何? [英] How safe is JWT?
问题描述
为了项目的安全性,我正在学习 JWT,但我有一个问题.如果我在登录后正确收到了令牌,但其他地方的其他人(黑客)窃取了这个特定的令牌,他可以访问我的会话吗?使用 JWT 身份验证的服务器能够检测到这一点并保护我吗?怎么样?
I am learning about JWT for the security of my project, but I have a question. If I recieve the token correctly after I did the login, but someone else (hacker) in other place steals this specific token, can he access to my session? The server that use JWT authentication is able to detect this and protect me? How?
推荐答案
只有服务器应该知道用于生成 JWT 的秘密".如果有人修改了 JWT 中包含的数据,服务器将无法对其进行解码.所以服务器可以信任它可以解码的任何 JWT.
Only the server should know the "secret" that is used to generate the JWT. If someone modifies the data contained in the JWT, the server will fail to decode it. So the server can trust any JWT that it can decode.
但是,如果黑客访问了您的计算机,他们可以看到存储在浏览器中的 JWT 并使用它.同样的威胁也存在于 cookie 中,因此它并不是 JWT 的真正缺陷.
However, if a hacker got access to your computer, they could see the JWT that is stored in the browser and use it. This same threat exists w/cookies, so it's not really a flaw of the JWT.
缓解这种威胁的一种方法是 JWT 的到期日期.对于银行应用程序,您的 JWT 可能会在几分钟后过期.对于 Facebook,它可能会在几个月后过期.但是,如果有人可以访问您的浏览器,则没有万无一失的解决方案.
One way to mitigate this threat is the expiration date of the JWT. For a banking app, your JWT might expire after a few minutes. For Facebook, it might expire after a few months. However, there's no bullet proof solution to this if someone gets access to your browser.
黑客的另一种方法是中间人"攻击,以拦截客户端和服务器之间的网络流量并获取 cookie/JWT.cookie/JWT 应始终通过 HTTPS 发送以防止这种情况发生.
Another approach for hackers would be a "man in the middle" attack to intercept the network traffic between client and server and get at the cookie/JWT. The cookie/JWT should always be sent over HTTPS to prevent this.
重要编辑
最后,回答标题中的问题JWT 有多安全?":这取决于您存储令牌的方式.本地存储不如使用 cookie 安全 (reference),但 cookie 可能会受到 CSRF 或 XSRF 漏洞的影响.
Finally, to answer the question in your title, "How safe is JWT?": It depends on how you store the token. Local storage is not as secure as using cookies (reference) but cookies can be subject to CSRF or XSRF exploits.
这个答案曾经说 JWT 比 cookie 更安全,因为 cookie 会受到 CSRF 攻击.但是将 JWT 存储在本地存储中也不安全.因此,我不再将我的 JWT 存储在本地存储中,而是使用众所周知的技术来缓解 CSRF 攻击.
This answer used to say JWT was safer than cookies, because cookies were subject to CSRF attacks. But storing JWT in local storage is not safe either. As a result, I'm no longer storing my JWT in local storage and using well known techniques to mitigate CSRF attacks.
这篇关于JWT 的安全性如何?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
