Oauth2访问令牌安全问题+角度2
[英]Oauth2 Access Token Security Issue + angular 2
问题描述
I am storing access token coming from google oauth2 in local storage. 
我将来自谷歌oauth2的访问令牌存储在本地存储中。 Now, the issue is, this is a security issue. 现在,问题是,这是一个安全问题。 Another person can copy the local storage values from my browser and enter the url to access my account. 另一个人可以从我的浏览器复制本地存储值并输入URL来访问我的帐户。 How can we solve this as access token is generally stored in local or session storage only. 我们如何解决这个问题,因为访问令牌通常只存储在本地或会话存储中。 We can give a logout after say 60 min, like this: 我们可以在说出60分钟后退出,如下所示:
this.expiresTimerId = setTimeout(() => {
console.log('Session has expired');
this.doLogout(440);
}, 3600);
But, the vulnerability exists for 60 min, which may cause security breach. 但是,该漏洞存在60分钟,这可能会导致安全漏洞。 How to avoid this?? 怎么避免这个?
1 个解决方案
解决方案1
0 2017-04-03 10:17:39
I don't know about any simple way of securing an access token against "someone else comes to my computer and misuses my open session" attacks (access tokens use to be bound to client IP address). 我不知道任何简单的方法来保护访问令牌免受“其他人来到我的计算机并滥用我的开放会话”攻击(访问令牌用于绑定到客户端IP地址)。
You can improve the situation by using sessionStorage instead of the localStorage - it drops its values when a browser tab is closed. 您可以通过使用sessionStorage而不是localStorage来改善这种情况 - 它会在关闭浏览器选项卡时删除其值。
To prevent an attacker from doing any harm, all operations performing data changes or displaying sensitive data would have to be re-authenticated in a similar way as online banking systems use to do it. 为了防止攻击者造成任何伤害,所有执行数据更改或显示敏感数据的操作都必须以与在线银行系统用来执行此操作类似的方式重新进行身份验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.