基于令牌的身份验证是否安全 [英] Is token based authentication secure when

问题描述

任何请求都是通过HTTPS发出的，并且令牌通过以下方式传输：

any request is made via HTTPS and the token is transmitted the following ways:

a）GET https：//foo.dom/foobar？auth_token = abcxyz

b）GET https：//foo.dom/foobar ，HTTP-header如X-FOOBAR-TOKEN：abcxyz

b) GET https://foo.dom/foobar with HTTP-header like X-FOOBAR-TOKEN: abcxyz

据我了解SSL，在HTTP请求的情况下，客户端首先协商SSL连接，并且仅在成功建立安全连接的情况下传输其他参数和/或HTTP头。

As I understand SSL, in case of an HTTP request the client first negotiates the SSL connection and does only transmit additional parameters and/or HTTP headers in case the secure connection was established successfully.

到目前为止我是对的吗？

Am I right so far?

感谢任何建议。
Felix

Thx fur any suggestion. Felix

推荐答案

SSL购买了传输加密，因此在发送时不会有任何人阻止身份验证令牌/来自网站。可以针对SSL执行一些中间人攻击，但通常SSL应该保护令牌内容。

SSL buys you encryption of the transport so no one can snag the auth token while it is being sent/to from the site. There are some man-in-the-middle attacks that can be performed against SSL but generally SSL should protect the token content.

安全性的成败取决于是或者不是令牌它自己是加密安全的。如果可以说这是真的那么你就是金色的。查看此网站 http://web.mit.edu/kerberos/dialogue.html 。

What makes or breaks the security is whether or not the Token it-self is cryptographically secure. If that can be said to be true then your are golden. Check out this site http://web.mit.edu/kerberos/dialogue.html.

还有很多其他网站使用secrue令牌进行身份验证，请参阅： http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAuthentication.html 。

There are plenty of other sites that use secrue tokens for auth, see: http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAuthentication.html.

这篇关于基于令牌的身份验证是否安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！