[英]How and where to store access token securely
I know this question has been asked many times but frankly I have not seen an answer that satisfies the criteria I have.我知道这个问题已经被问过很多次了,但坦率地说,我还没有看到满足我所拥有的标准的答案。
So I have a ASP.NET WEB API that issues an access token (JWT) when user/pass are provided.所以我有一个 ASP.NET WEB API,它在提供用户/密码时发出访问令牌(JWT)。 At the moment requests are coming from an SPA application.目前请求来自 SPA 应用程序。 The problem I have is storing the access token so it can be resent to the API from JavaScript.我遇到的问题是存储访问令牌,以便它可以从 JavaScript 重新发送到 API。 So far it looks like there are 2 commonly suggested options到目前为止,似乎有 2 个常用的建议选项
But none of these is actually secure since they are not protected from XSS and CSRF.但是这些实际上都不是安全的,因为它们不受 XSS 和 CSRF 的保护。 And on top of that it makes token easily accessible.最重要的是,它使令牌易于访问。
Any options you would suggest ?你有什么建议吗?
Web store is vulnerable to XSS.网上商店易受 XSS 攻击。 Cookie is vulnerable to XSS if not HTTPONLY.如果不是 HTTPONLY,Cookie 很容易受到 XSS 的攻击。 Cookie is vulnerable to CSRF when not STRICT, even if it is HTTPONLY. Cookie 在不严格时容易受到 CSRF 的影响,即使它是 HTTPONLY。
So I think we can store the access token in memory .所以我认为我们可以将访问令牌存储在内存中。 Issue with that is there is no persistence between page refreshes.问题是页面刷新之间没有持久性。 So for persistence we can store a refresh token in web storage or a cookie and whenever we do not have an access token we can get a new one silently with a refresh token.因此,为了持久性,我们可以在 Web 存储或 cookie 中存储刷新令牌,并且每当我们没有访问令牌时,我们可以使用刷新令牌静默获取一个新令牌。
When using an identity server a refresh token will not be of any use to any unauthorised client.使用身份服务器时,任何未经授权的客户端都不会使用刷新令牌。
So if they XSS and steal the refresh token or CSRF with the refresh token cookie they cannot impersonate the user or get the access token.因此,如果他们 XSS 并使用刷新令牌 cookie 窃取刷新令牌或 CSRF,他们将无法模拟用户或获取访问令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.