問題描述

Stormpath 有很多博客文章討論應(yīng)該如何使用 cookie 來存儲(chǔ) JWT，而不是 sessionStorage/localStorage:

There are a lot of blog posts from Stormpath that talk about how you ought to use cookies to store your JWT instead of sessionStorage/localStorage:

• https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
• https://stormpath.com/blog/token-auth-spa
• https://stormpath.com/blog/build-secure-用戶界面使用 jwts

主要原因是，如果您加載的第 3 方 javascript 依賴項(xiàng)受到損害，它可以通過 sessionStorage/localStorage 竊取并將 JWT 傳輸?shù)侥硞€(gè)地方.

The main stated reason is that if a 3rd-party javascript dependency that you load is compromised that it can pilfer through sessionStorage/localStorage and transmit off the JWT to somewhere.

但這對(duì)我來說是一個(gè)令人困惑的原因.我了解攻擊向量，但如果您有一個(gè)受損的 3rd-party javascript 依賴項(xiàng)，那么您是不是真的搞砸了，因?yàn)樗梢员O(jiān)聽/捕獲您的用戶在與您的應(yīng)用程序交互時(shí)所做的任何事情?

But this is confusing as a reason to me. I understand the attack vector, but if you have a compromised 3rd-party javascript dependency, aren't you effectively screwed anyway, since it can listen-in/capture anything your users do as they interact with your app?

推薦答案

我是https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage

當(dāng)頁面上存在 XSS 時(shí)，攻擊者有權(quán):

When XSS exist on a page, an attacker is privileged to:

• HTML5 網(wǎng)絡(luò)存儲(chǔ)(本地和會(huì)話)
• 未設(shè)置 httpOnly 標(biāo)志的 Cookies
• 控制標(biāo)簽直到它被關(guān)閉并且能夠提出未經(jīng)授權(quán)的請(qǐng)求

您還可以開始制定攻擊以繞過 XSRF 保護(hù).

You can also start to formulate attacks to get around XSRF protection.

當(dāng)存在 XSRF 漏洞時(shí)，攻擊者有權(quán):

When an XSRF vulnerability exists, an attacker is privileged to:

• 從第三方域發(fā)出未經(jīng)授權(quán)的請(qǐng)求，前提是您可以將用戶引誘到那里(或在存在 XSS 的情況下將其發(fā)送到那里).

您可以看到，當(dāng)存在 XSS 漏洞時(shí)，您可以發(fā)出未經(jīng)授權(quán)的請(qǐng)求，攻擊者需要跳過更多的障礙來利用 XSRF.這意味著當(dāng) XSS 存在時(shí)(無論是否有 XSRF 保護(hù))，都會(huì)存在發(fā)出未授權(quán)請(qǐng)求的攻擊向量.

You can see that when an XSS vulnerability exists, you are able to make unauthorized requests and an attacker would need to jump through some more hoops to exploit XSRF. This means that when XSS exists (regardless of XSRF protection or not), the attack vector of making unauthorized requests will exist.

希望這可以為我的下一點(diǎn)解決問題.

Hopefully, that clears things up for my next point.

與竊取代表用戶身份和會(huì)話的無狀態(tài)令牌相比，XSRF 攻擊或未經(jīng)授權(quán)的請(qǐng)求的影響和范圍更小.泄露令牌意味著攻擊者將擁有完全控制權(quán)，可以代表用戶在他的時(shí)間、在他的機(jī)器上制定攻擊.

An XSRF attacks or unauthorized requests has less impact and scope than stealing a stateless token that represents the user's identity and session. Leaking the token means that an attacker will have full control to formulate an attack on behalf of the user, on his time, on his machines.

總之，當(dāng)你存在 XSS 時(shí):

In conclusion, in presence of XSS when you:

• 在網(wǎng)絡(luò)存儲(chǔ)中存儲(chǔ)訪問令牌，在 XSS 存在期間使用您網(wǎng)站的任何用戶的令牌都會(huì)受到損害.這意味著攻擊者可以獲得數(shù)以千計(jì)的有效訪問令牌，并可能造成很多傷害(如果您將刷新令牌存儲(chǔ)在 Web 存儲(chǔ)中，則危害更大).用戶也容易從自己的瀏覽器發(fā)出未經(jīng)授權(quán)的請(qǐng)求.

• store an access token in web storage, the tokens for any user that uses your site during the time of the existence of XSS is compromised. This means an attacker could get thousands of valid access tokens and can possibly do a lot of harm (even more if you store refresh tokens in web storage). The users are also vulnerable to making unauthorized requests from their own browser.

將訪問令牌存儲(chǔ)在 httpOnly cookie 中，任何用戶的令牌都不會(huì)被泄露.但是，即使存在 XSRF 保護(hù)，用戶也容易從自己的瀏覽器發(fā)出未經(jīng)授權(quán)的請(qǐng)求.

store an access token in a httpOnly cookie, the tokens for any user are not compromised. But, the users are also vulnerable to making unauthorized requests from their own browser even in the presence of XSRF protection.

希望這些信息對(duì)您有所幫助.

Hope this information helps.

這篇關(guān)于sessionStorage 與 cookie 中的 JWT 令牌?的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，也希望大家多多支持html5模板網(wǎng)！