在基于 Web 的应用程序中,在哪里正确、安全地存储 JWT 令牌?

2022-01-10 00:00:00 jwt browser frontend javascript

我熟悉 Web 存储 API 和 cookie,但我不知道存储身份验证令牌的最安全方式是什么.我想知道这是否会破坏任何第三方库.

I'm familiar with Web Storage APIs and cookies but I can't figure what is the most secure way to store an authentication token. I'm wondering if this might break any third-party libraries.

我想要一份详尽的可用方法列表,其中包括每种方法的优缺点以及最重要的最佳方法(如果有的话).

I'd like to have an exhaustive list of available methods to do so, with the pros and cons of each and the best way above all, if any.

推荐答案

JWT 的存储位置

使用基于令牌的身份验证,您可以选择存储 JWT 的位置.我们强烈建议您将令牌存储在本地存储/会话存储或 cookie 中.

Where to Store Your JWTs

With token-based authentication, you are given the choice of where to store the JWT. We strongly recommend that you store your tokens in local storage/session storage or a cookie.

通常,JWT 放置在浏览器本地存储中,这适用于大多数用例.

Commonly, the JWT is placed in the browsers local storage and this works well for most use cases.

使用用户名和密码登录用户时,响应正文包含 access_token JWT.然后你需要在客户端代码中处理这个响应.然后可以将此令牌存储在 localStorage 或 sessionStorage 中.

When logging in a user with a username and password, the response body contains the access_token JWT. Then you need to handle this response in the client side code. This token can then be stored in localStorage or sessionStorage.

点击此处查看使用示例会话存储

localStoragesessionStorage 都扩展了 Storage.它们之间的唯一区别是数据的持久性:

Both localStorage and sessionStorage both extend Storage. The only difference between them is the persistance of the data:

localStorage - 数据一直存在,直到被明确删除.所做的更改已保存,可供所有当前和将来访问该网站的用户使用.

localStorage - data persists until explicitly deleted. Changes made are saved and available for all current and future visits to the site.

sessionStorage - 所做的更改被保存并可用于当前页面,以及将来在同一窗口中访问该站点.一旦窗口关闭,存储就被删除了.

sessionStorage - Changes made are saved and available for the current page, as well as future visits to the site on the same window. Once the window is closed, the storage is deleted.

  • 与 Cookie 不同,本地存储被沙盒化到特定域,任何其他域(包括子域)都无法访问其数据.
  • 可通过同一域中的 JavaScript 访问网络存储,因此您网站上运行的任何 JavaScript 都可以访问网络存储,因此容易受到跨站脚本 (XSS) 攻击.
  • 开发人员必须确保 JWT 始终通过 HTTPS 而不是 HTTP 发送.

您还可以使用 cookie 来存储 JWT.设置 cookie 的确切方式取决于您使用的客户端语言.

You can also use cookies to store the JWT. The exact way to set a cookie depends on the client side language you are using.

有不同的选项可以控制 cookie 的生命周期:

There are different options to control the lifetime of a cookie:

  • 可以在关闭浏览器后销毁 Cookie(会话 Cookie).
  • 实现服务器端检查(通常由正在使用的 Web 框架为您完成),您可以实现过期或滑动窗口过期.
  • Cookie 可以是持久的(在浏览器关闭后不会被销毁),但会过期.
  • 如果设置了 httpOnly 标志,则 JavaScript 和服务器端代码都可以读取 Cookie,或者只有服务器端可以读取.
  • Cookies can be destroyed after the browser is closed (session cookies).
  • Implement a server side check (typically done for you by the web framework in use), and you could implement expiration or sliding window expiration.
  • Cookies can be persistent (not destroyed after the browser is closed) with an expiration.
  • Cookies can be read by both the JavaScript and the server side code or only server side if the httpOnly flag is set.
  • cookie 的最大大小仅为 4kb,因此如果您的令牌附加了许多声明,这可能会出现问题.
  • Cookie 可能是易受攻击的跨站点请求伪造(CSRF 或 XSRF)攻击.当恶意网站导致用户的 Web 浏览器在用户当前已通过身份验证的受信任站点上执行不需要的操作时,就会发生这种类型的攻击.这是对浏览器如何处理 cookie 的利用.使用 Web 应用程序框架的 CSRF 保护使 cookie 成为存储 JWT 的安全选项.CSRF 也可以通过检查 HTTP RefererOrigin 标头来部分阻止.
  • 如果应用需要跨域访问,则可能难以实施.Cookie 具有其他属性(域/路径),可以对其进行修改,以允许您指定允许将 Cookie 发送到何处.
  • The max size of a cookie is only 4kb so that may be problematic if you have many claims attached to the token.
  • Cookies can be vulnerable cross-site request forgery (CSRF or XSRF) attacks. This type of attack occurs when a malicious web site causes a user’s web browser to perform an unwanted action on a trusted site where the user is currently authenticated. This is an exploit of how the browser handles cookies. Using a web app framework’s CSRF protection makes cookies a secure option for storing a JWT. CSRF can also be partially prevented by checking the HTTP Referer and Origin header.
  • Can be difficult to implement if the application requires cross-domain access. Cookies have additional properties (Domain/Path) that can be modified to allow you to specify where the cookie is allowed to be sent.

原文:https://auth0.com/docs/security/store-tokens#how-to-implement

相关文章