也可把休息的身份验证令牌上SPA客户端的任何安全的方式？ [英] Is there any safe way to keep rest auth token on the client side for SPA?

问题描述

如果我们从其他服务器的令牌，并在授权每个请求使用AuthorizationToken头，我们仍然需要保持它时，浏览器的页面被关闭。

唯一的通用办法做到这一点是把令牌饼干。但是，即使不使用用于验证的饼干这样的方式，可以将它们通过XSS被盗。
而且我们不能使用的HttpOnly标志。所以：

1. 是为了保护令牌，并保持它的安全的任何其他特定方式？




2. 如果整个会话过程中使用HTTPS和令牌饼干被盗，是否有可能使用令牌劫持HTTPS会话？

解决方案

我的答案也许是有点幼稚，但为什么不存储在持久性存储浏览器的标记。如果您使用的角度，用code如下描述：

 功能（（...），$窗口）{
    （......）
    $ window.sessionStorage ['userToken'] ='＆lt;使用者令牌＆GT;';
}
 

我真的不看其他的方法（例外饼干），以保持这样的提示时，浏览器的页面被关闭。

与饼干的问题是，您的客户端需要透明地利用此功能的浏览器......此外，它真的不是为RESTful服务中身份验证的更好的方法; - ）

可以使用安全令牌的具有到期日期和刷新它们的能力的机制结合此，如在下面的链接描述：<一href=\"https://templth.word$p$pss.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/\" rel=\"nofollow\">https://templth.word$p$pss.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/.

此外，您可以像使用角JS框架，提供解决方案，以XSS。例如，参见以下链接：

• http://java.dzone.com/articles/angularjs-how-处理-XSS


• angularjs +跨站点脚本preventing

希望它提供了一些提示，您的问题，
蒂埃里

If we get token from the rest server and use AuthorizationToken header in every request for authorization, we still need to keep it when the browser's page is closed.

The only universal way to do it is to put the token to cookies. But in such way even if the cookies are not used for authentication, they can be stolen by XSS. And we can't use httpOnly flag. So:

1. Are there any other specific ways to protect the token and keep it safe?

2. If HTTPS is used during the whole session and the cookies with token were stolen, is it possible to hijack the https session with a token?

解决方案

My answer is perhaps a bit naive but why not store the token in the persistence storage of your browser. If you use Angular, with code as describe below:

function((...), $window) {
    (...)
    $window.sessionStorage['userToken'] = '<user-token>';
}

I don't really see other approaches (exception cookies) to keep such hints when the browser's page is closed.

The problem with cookies is that your client needs to be a browser to leverage this feature transparently... Moreover it's really not the better approach for authentication within RESTful services ;-)

You can combine this with a mechanism of security tokens with an expiration date and the ability to refresh them, as described in the following link: https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/.

In addition, you can use JS framework like Angular that provides solutions to XSS. See the following links for example:

• http://java.dzone.com/articles/angularjs-how-handle-xss
• angularjs + cross-site scripting preventing

Hope it provides some hints to your issue, Thierry

这篇关于也可把休息的身份验证令牌上SPA客户端的任何安全的方式？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！