基于令牌身份验证的安全性 [英] Security of Token Based Authentication

问题描述

我的基于令牌的认证的理解是，在认证时（可能通过SSL），令牌被传递到用户在飞行廉价用户验证。这方面的一个实施方法是，以产生被传递给用户进行会话管理的cookie。

My understanding of token based authentication is that upon authentication (perhaps over ssl), a token is passed to the user for cheap user verification on the fly. One implementation of this would be to generate a cookie that is passed to the user for session management.

不过，我的理解是基于令牌身份验证（至少是通过cookie）在像firesheep中间人攻击容易受到男人。

But, my understanding is that token based auth (at least through cookies) is susceptible to man in the middle attacks like firesheep.

有没有绕开这个重大的安全问题，或者我有TBA的一个根本性的误解其它方法？

Are there other methods of implementation that skirt this major security issue, or do I have a fundamental misunderstanding of tba?

推荐答案

您的理解是不错的。从根本上说，在应​​用如何看待这个术语，令牌可以同时是一个用户名和密码。如果有人有令牌，他们可以自行验证您的应用程序。在的HTTP cookie的情况下，主要目的是为了避免泄漏的用户名和密码应该有人通过跨站点脚本漏洞（XSS）或其他方式获得该cookie。是的，只要有正确的情况下，他们可以回放此令牌应用程序作为中间人，但他们不应该能够从中找出用户名/密码配对，但再这不是如果令牌保证生成算法薄弱，比方说，就像如果你决定为Base64 EN code中的用户名和密码连接到一起，并​​用其作为价值。

Your understanding is good. Fundamentally, in terms of how the application sees it, a token may as well be a username and password. If someone has the token, they can authenticate themselves to your application. The main purpose in the case of a http cookie is to avoid leaking the username and password should someone obtain the cookie by means of a cross-site scripting vulnerability (XSS) or otherwise. Yes, given the right circumstances they can "replay" this token to the application as a "man in the middle" but they shouldn't be able to figure out the username/password pairing from it but again this is not guaranteed if the token generating algorithm is weak, say, like if you decided to BASE64 encode the username and password concatenated together and use that as the value.

通常你保持令牌 - >用户映射服务器端的安全。所以，最后你的安全性是所有围绕保持令牌的安全，并确保其寿命控制（如到期和/或当来自同一IP作为由凭据的原始提供用于给你才有效 - 再次，只是一个例子）

Typically you keep the token -> user mapping secure on the server side. So ultimately your security is all based around keeping the token safe and ensuring that its lifetime is controlled (e.g. it expires and/or is only valid when given to you from the same IP as that used by the original provider of the credentials - again, just an example)

希望这有助于

-Oisin

这篇关于基于令牌身份验证的安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！