简体繁体 English

会话令牌认证安全性

[英]Session Token Authentication Security

原文 2015-07-06 16:49:20 3 2 angularjs/ authentication/ token

I need some advice regarding using session tokens to authenticate users. 我需要有关使用会话令牌对用户进行身份验证的一些建议。 I am building an AngularJS app which uses an API to tie in with the backend. 我正在构建一个使用API与后端绑定的AngularJS应用。 I am only building the front end, not the backend. 我只是建立前端，而不是后端。 The documentation states that all calls to the API have a session token attached in the body of the request (POST). 该文档指出，对API的所有调用都在请求正文（POST）中附加了会话令牌。

I would like to know about the security of storing this token in localStorage. 我想知道将令牌存储在localStorage中的安全性。 That is where I am storing it now and retrieving and attaching it to each API request. 那是我现在存储它并将其附加到每个API请求的地方。 After login, the server sends the session token in the body and I save it from there. 登录后，服务器将会话令牌发送到正文中，然后从那里保存它。
There is no documentation about an x-access-token header that should be sent with the request made to the server. 没有有关应随服务器发出的请求一起发送的x-access-token标头的文档。 It is not being checked server side. 尚未检查服务器端。 What are the implications of this? 这意味着什么？ I feel that it is susceptible to attacks without this added layer of security. 我觉得如果不增加安全性，它很容易受到攻击。

My main concern is the security of this setup. 我主要关心的是此设置的安全性。 I want to know what the best setup is to make sure this app is as secure as possible and recommend changes to the way the backend is setup to facilitate this. 我想知道最好的设置是什么，以确保该应用程序尽可能安全，并建议更改后端设置的方式以简化此操作。

Thanks! 谢谢！

2 个解决方案

I would suggest use $cookies rather than localstorage. 我建议使用$ cookies而不是localstorage。 As localstorage does not support some legacy browser. 由于localstorage不支持某些旧版浏览器。 I am using cookies to store token in my project 我正在使用Cookie将令牌存储在我的项目中

As you tell, you are only working on the UI part and not the backend. 如您所知，您只在UI部分工作，而不在后端工作。 It is up to the backend team to ensure headers are properly evaluated and security is enforced (btw request headers do not belong to request body). 后端团队有责任确保正确评估标头并强制执行安全性（顺便说一句，请求标头不属于请求主体）。 Just put the token into the x-access-token header as they tell. 就像他们告诉的那样，只需将令牌放入x-access-token标头即可。

Storing the token inside the localStorage gives you a little more control over the cookie: You will not accidentally send it to unnecessary URLs. 将令牌存储在localStorage使您更好地控制cookie：您不会将其意外发送到不必要的URL。 However, older browsers do not support it - you may need to use a shim for that. 但是，较旧的浏览器不支持它-您可能需要使用垫片。

In a case of SPA, you may consider not storing the token at all: It could be fetched each time your application is accessed and then stored within a service in angularjs, but it depends how your fetch/login operation is implemented (is it always interactive, how long does it take, etc). 在SPA的情况下，您可能会考虑完全不存储令牌：可以在每次访问您的应用程序时将其获取，然后将其存储在angularjs的服务中，但这取决于您的获取/登录操作的实现方式（是否始终互动，需要多长时间等）。