简体繁体 English

如果仅标记为 HTTP，我能否将 OpenID Connect id_token 和 access_token 安全地存储在 cookie 中？

[英]Can I securely store an OpenID Connect id_token and access_token in a cookie if it's marked as HTTP only?

原文 2017-11-17 11:16:53 9 2 security/ asp.net-mvc-4/ cookies

I am integrating a legacy application (an ASP.NET MVC 4 app) with OpenID Connect.我正在将旧应用程序（ASP.NET MVC 4 应用程序）与 OpenID Connect 集成。 Once I obtain the id_token and access_token from my OIDC provider I need to store them.从我的 OIDC 提供商处获得 id_token 和 access_token 后，我需要存储它们。 In typical fashion they have to be sent 'over the wire' from the client side to the server side because the server side must process the id_token to determine which user made the request.在典型的方式中，它们必须从客户端“通过线路”发送到服务器端，因为服务器端必须处理 id_token 以确定哪个用户发出了请求。 The access_token is not processed by my application.我的应用程序不处理 access_token。 It's just stored in my application until I need to make a request to an API that requires JWT Bearer authentication.它只是存储在我的应用程序中，直到我需要向需要 JWT 承载身份验证的 API 发出请求。

The way I see it is that the id_token and access_token are sent from client and server either way - whether it's an a header or a cookie.我看到的方式是 id_token 和 access_token 是从客户端和服务器发送的，无论是标头还是 cookie。 Can I store the id_token and access_token securely in a cookie if it's marked as HTTP only?如果 id_token 和 access_token 仅标记为 HTTP，我可以将 id_token 和 access_token 安全地存储在 cookie 中吗？

Edit: I should add a little more information about my scenario.编辑：我应该添加更多关于我的场景的信息。

1) My application always uses HTTPS, and all cookies are marked as secure. 1) 我的应用程序始终使用 HTTPS，并且所有 cookie 都标记为安全。 This removes MITM (Man In The Middle) vulnerabilities这消除了 MITM（中间人）漏洞

2) Every PUT, POST and DELETE request uses ASP.NET's anti forgery token classes. 2) 每个 PUT、POST 和 DELETE 请求都使用 ASP.NET 的防伪令牌类。 This protects against XSRF.这可以防止 XSRF。

3) All input is escaped and sanitized using ASP.NET libraries which removes XSS vulnerabilities. 3) 所有输入都使用 ASP.NET 库进行转义和清理，从而消除了 XSS 漏洞。

4) The cookie that would contain the id_token would be marked as http only, removing the ability to read and access the cookie from the client side. 4) 包含 id_token 的 cookie 将被标记为仅 http，从而消除了从客户端读取和访问 cookie 的能力。

2 个解决方案

You should probably not store the tokens in cookies.您可能不应该将令牌存储在 cookie 中。 Ideally the access token would be stored in memory on the client.理想情况下，访问令牌将存储在客户端的内存中。 This way they aren't sent automatically with requests to the server which is why there are risks involved with cookies.这样它们就不会随着请求自动发送到服务器，这就是 cookie 存在风险的原因。 Anywhere else could open you up to potential vulnerabilities.其他任何地方都可能让您面临潜在的漏洞。

The RFC 6819 specification, titled "OAuth 2.0 Threat Model and Security Considerations" touches on the risks and vulnerabilities around OAuth tokens.标题为“OAuth 2.0 威胁模型和安全注意事项”的RFC 6819规范涉及围绕 OAuth 令牌的风险和漏洞。 Specifically, I would recommend reading the following sections:具体来说，我建议阅读以下部分：

4.1.3. 4.1.3. Threat: Obtaining Access Tokens威胁：获取访问令牌
4.4.2.2. 4.4.2.2. Threat: Access Token Leak in Browser History威胁：浏览器历史记录中的访问令牌泄漏
5.1.6. 5.1.6. Access Tokens访问令牌

In applications I have written the tokens have been stored in local storage and in memory.在我编写的应用程序中，令牌已存储在本地存储和内存中。

I'd recommend reading through the OAuth 2.0 specification so you know the risks involved when using OAuth 2.0.我建议您通读 OAuth 2.0 规范，以便了解使用 OAuth 2.0 时所涉及的风险。

Please don't count on that, HttpOnly is a flag that tells the browser that this cookie should not be accessed by client side scripts and it is true only if the browser supports it.请不要指望这一点，HttpOnly 是一个标志，它告诉浏览器该 cookie 不应被客户端脚本访问，并且仅当浏览器支持它时才为真。 You can find more info here: https://www.owasp.org/index.php/HttpOnly Also I suggest to dive a little in the OWASP web site as they have documents regarding best practices for problems like the one you listed.您可以在此处找到更多信息： https : //www.owasp.org/index.php/HttpOnly另外我建议在 OWASP 网站上深入了解一下，因为他们有关于您列出的问题的最佳实践的文档。

You can see if your browsers support HttpOnly here: https://caniuse.com/?search=httponly您可以在此处查看您的浏览器是否支持HttpOnly ： https : HttpOnly ? HttpOnly = HttpOnly

As of 2021, 95% of browsers support it.到 2021 年，95% 的浏览器都支持它。