是否存在在localStorage中存储HTTP Basic授权头的安全问题?
[英]Are there any security concerns storing HTTP Basic authorization header in localStorage?
问题描述
I'm building a web application that accesses a private API. 
我正在构建一个访问私有API的Web应用程序。 The API that I'm consuming uses HTTP Basic Authentication over TLS. 我正在使用的API使用基于TLS的HTTP基本身份验证。 My client has requested a "remember me" functionality for the web app so that users can maintain persistent authentication on a given device. 我的客户端已经为Web应用程序请求了“记住我”功能,以便用户可以在给定设备上维护持久身份验证。
My quick-and-dirty solution is to store the Authorization header in localStorage after it has been validated. 我的快速和肮脏的解决方案是在验证后将Authorization标头存储在localStorage 。 Of course, given unmitigated access to a user's device, anybody who is worth their weight in salt could copy the auth header from localStorage and decode it to retrieve the user's login/password combo. 当然,考虑到对用户设备的无限制访问权限,任何在盐中值得重视的人都可以从localStorage复制auth标头并对其进行解码以检索用户的登录/密码组合。
Aside from total device compromise, are there any other security implications from storing this type of sensitive data in localStorage ? 除了完全设备损害之外,在localStorage存储此类敏感数据还有其他安全隐患吗? Is localStorage acceptable as a store for sensitive data such as passwords? localStorage是否可以作为密码等敏感数据的存储? If not, how would you persist such data on a user's device beyond an individual browser session? 如果没有,除了单独的浏览器会话之外,您如何在用户设备上保留此类数据?
(I wish everybody could just use his or her private key...passwords are so 90s) (我希望每个人都可以使用他或她的私钥......密码是90年代)
EDIT After reading HTML5 localStorage security it seems clear that storage of sensitive data in localStorage in general is a bad idea, but what better option is there for authentication persistence in this case? 编辑在阅读HTML5 localStorage安全性之后 ,似乎很清楚在localStorage中存储敏感数据通常是一个坏主意,但在这种情况下,有哪种更好的选项可用于身份验证持久性?
1 个解决方案
解决方案1
4 已采纳 2014-10-11 02:13:05
I think it's a bad idea to store something related to the login or the password on the user's side. 我认为在用户端存储与登录或密码相关的内容是个坏主意。
But once an user has logged in, you can store a random string (a random hash for example) on the user's side and in your database. 但是一旦用户登录,您就可以在用户侧和数据库中存储随机字符串(例如随机哈希)。 When the user get back, you can compare the two and if they are identical, you can log in the user. 当用户返回时,您可以比较两者,如果它们相同,则可以登录用户。 And you can ask the user to enter his password for sensitive actions (change password or login, etc.). 您可以要求用户输入敏感操作的密码(更改密码或登录等)。 So even if the hash is stolen, no one will be able to get the full access to this account. 因此,即使哈希被盗,也没有人能够获得对此帐户的完全访问权限。
Edit : this concept is already used with cookies . 编辑:此概念已与Cookie一起使用 。 I've never tested it with localStorage. 我从来没有用localStorage测试它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.