JSON Web Token如何比Cookie /会话更安全？ [英] How is JSON Web Token more secure than cookie/session?

问题描述

如何使用JSON Web令牌比不透明的会话令牌更安全。在这两种情况下，令牌首先发送到客户端，然后在客户端请求受保护的资源时在服务器上验证。

How is using a JSON Web Token more secure than an opaque session token, In both the scenarios the tokens are first sent to the client and then verified on the server when a client requests a protected resource.

推荐答案

人们说JWT更安全有几个原因。我会列出他们，并给你为什么这可能不是真的是这样的情况，因为它摇摆两种方式。

There are several reasons people say JWTs are more secure. I’ll list them and also give you reasons why that might not really be the case as it swings both ways.

1. JWTs可以使用带有安全算法的秘密进行签名，如HS256和RS256。 此处提供了完整的列表。此外，您还可以加密JSON Web令牌的有效内容。

1. JWTs can be signed using a secret with secure algorithms like HS256 and RS256. A comprehensive list can be found here. On top of that, you can also encrypt the payload of the JSON Web token. However, session tokens can also be generated securely with a top-notch algorithm and stored in a signed cookie.

JWT可以存储在cookie或Web中，也可以存储在cookie中。存储（本地/会话存储）。如果你不把你的JWTs存储在一个cookie，那么你不容易受到CSRF。您可以决定通过每个HTTP请求的Authorization头发送它们。但是，仍然有一个警告。 Javascript用于从Web存储访问JWT，这仍然让您开放其他形式的攻击，如XSS（跨站点脚本）。值得一提的是，比CSRF更容易处理XSS。

JWT can either be stored in a cookie or Web Storage( local/session Storage ). If you are not storing your JWTs in a cookie, then you are not vulnerable to CSRF. And you can decide to send them through the Authorization header for every HTTP request. However, there is still a caveat. Javascript is used to access the JWT from the Web storage, which still leaves you open to other forms of attack such as XSS (Cross-Site Scripting). Worthy of mention is that it is easier to deal with XSS than CSRF.

在OAuth的情况下，不透明令牌（也称为承载令牌）是随机字符串将被存储在服务器上的某种散列存储中，以及期满，所请求的范围（例如，访问朋友列表）和给予同意的用户。后来，当API被调用时，发送这个令牌并且服务器在哈希表上查找，重新水化上下文以做出授权决定（它是否过期？这个令牌是否具有与想要的API相关联的正确范围访问？不透明令牌和有符号令牌（例如JWT）之间的主要区别是JWT是无状态的。

In the case of OAuth, opaque tokens otherwise known as bearer tokens are random strings that will be stored in some kind of hashed storage on the server together with an expiration, the scope requested (e.g. access to friend list) and the user who gave consent. Later, when the API is called, this token is sent and the server lookup on the hash-table, rehydrating the context to make the authorization decision (did it expire? does this token have the right scope associated with the API that wants to be accessed?). The main difference between opaque tokens and signed tokens(e.g JWT) is that JWTs are stateless. They don’t need to be stored on a hash-table.

用于签名的库并加密您的JWT应该是安全的，以确保您的身份验证过程也是安全的。您还应该使用Cookie作为存储机制，而不是使用它们进行登录。您可以认为使用JWT有更多的好处，因为它们更容易扩展，并且可以在OAuth案例中使用，您可以在此 article 。在一天结束时，在我看来，它只是落在开发人员的推理/逻辑，以确保遵循正确的步骤，使应用程序安全，无论什么形式的令牌用于身份验证或授权。在这种情况下，用例也是关键！

The libraries used to sign and encrypt your JWTs should be secure to ensure your authentication process is also secure. You should also use cookies as storage mechanism rather than using them for login. You can argue that there are more benefits to using JWTs like they are easier to scale and they can be used in OAuth cases which you can find in this article. At the end of the day, In my opinion it simply falls on the developers’ reasoning/logic to ensure the right steps are followed to make an app secured regardless of what form of token is used for authentication or authorization. Use case is also key in this context!

这篇关于JSON Web Token如何比Cookie /会话更安全？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！