问题描述
我有一个用于生成令牌的rest api,我在angular 4客户端中使用了它,但问题是在哪里存储此令牌.
I have a rest api for generating token, which i'm using in angular 4 client side, but the question is where to store this token.
在互联网上,我发现我可以将其存储在本地存储或cookie中.
In the internet i found that i can store in local storage or in the cookie.
所以我的问题是,例如,如果存储令牌是本地存储,而我刚从另一个浏览器复制了有效令牌,那么我将拥有一个有效令牌,因此存储令牌的安全性就很高了,并且基本上与Cookie相同,还是我错过了一些重要信息?
So my question is, if store token is the local storage for example, and i have just copied the valid token from another browser, then i will have a valid token, so there is any security of storing token like that, and basically the same with cookies, or maybe i missed some important information?
推荐答案
此处是有关令牌/Cookie的完整文章,可以为您提供有关此主题的大量知识: auth0:Cookie VS令牌
Here is a complete article about Tokens / Cookies that can give you a lot of knowledge about this subject : auth0 : Cookies VS Tokens
我将引用最重要的部分,以使您了解接下来的内容:
I'll quote the most important parts to make you understand what's coming next :
跨站点脚本攻击"发生在外部实体能够在您的网站或应用程序内执行代码的情况下.
Cross Site Scripting) attacks occur when an outside entity is able to execute code within your website or app.
如果您将JWT与本地存储一起使用,则不会发生跨站点请求伪造攻击.另一方面,如果您的用例要求您将JWT存储在cookie中,则需要防止XSRF.
Cross Site Request Forgery attacks are not an issue if you are using JWT with local storage. On the other hand, if your use case requires you to store the JWT in a cookie, you will need to protect against XSRF.
我们的CTO过去曾辩称,与XSRF攻击相比,XSS攻击更容易处理,因为它们通常被更好地理解.
Our CTO has argued in the past that XSS attacks are much easier to deal with compared to XSRF attacks because they are generally better understood.
所以基本上可以总结一下:
So basically to sum up :
- XSS 攻击是令牌和 LocalStorage 的问题.但这不是因为Angular对所有内容进行了清理,从而有效地防止了 XSS 攻击. ( https://angular.io/guide/security#angulars-跨站点脚本安全模型)
- XSRF 攻击是 Cookies 的问题,您必须建立自己的安全框架来对其进行处理.
- XSS attacks are an issue with Tokens and LocalStorage. But it's not because Angular sanitizes everything, preventing efficiently XSS attacks. (https://angular.io/guide/security#angulars-cross-site-scripting-security-model)
- XSRF attacks are an issue with Cookies, and you would have to set up your own security framework to deal with them.
因此,我建议使用标准的JWT令牌方法来管理您的令牌.由于您的令牌是用 JWT 格式签名的,因此我认为这是最安全的解决方案.当然,为了真正安全,标准令牌需要进行加密或签名(不相同).
Hence, I'd recommend a standard JWT Token approach to manage your token. Since your token is signed with the JWT format, this is the safest solution in my opinion. Of course, a standard token would need to be either encrypted or signed (not the same) to be really secure.
使用适当的库(例如 https://github.com/auth0)非常容易设置和管理/angular2-jwt )
要进一步:我想您的令牌将用于身份验证,并且请注意人们已经在使用该令牌,并且知道使用它们的好/坏做法.
To go further : I imagine your token would be used for authentication, and be aware that people have already worked with that and know what is good / bad practice using them.
您应该查看如何使用有效的网站(例如Twitter/Facebook等)在使用刷新令牌的情况下管理身份验证.以下是一些您可能会感兴趣的附加链接:
You should take a look at how authentications are managed from working websites (such as Twitter / Facebook, etc...) where they use Refresh Tokens. Here are some additionnal links that could interest you :
- https://auth0.com/learn/refresh-tokens/
- https://auth0.com/docs/tokens/refresh-token/current
有关JWT最佳做法的其他链接:
EDIT : Additionnal links about best practices with JWT :
https://dev.to/neilmadden/7-best-practices-for-json-web-tokens (Part 6 and 7)
https ://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec
这篇关于Angular 2/4存储令牌的位置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!