如何在服务器端呈现的Web应用程序上安全地处理身份验证?
[英]How to safely deal with authentication on a web app rendered server-side?
问题描述
I thought of a few approaches myself: 
我自己想到了一些方法:
- Use cookies. 使用Cookie。 This requires CSRF protection and some logic complications as one needs to unify the cookie for both API and main domain. 这需要CSRF保护和一些逻辑上的复杂性,因为需要统一API和主域的cookie。 Also cookies seem a bit creepy regarding security overall Cookie总体安全性似乎也有些令人毛骨悚然
- Render auth-related stuff on client. 在客户端上呈现与auth相关的内容。 Well this would work but things as simple as the navbar, which should hide SignIn/SignUp buttons when authed, is auth related. 嗯,这可以工作,但是像导航栏这样简单的事情与认证相关,导航栏在通过身份验证时应隐藏SignIn / SignUp按钮。 With some overview of my existing application, SSR entirely looks pointless at that point. 通过对现有应用程序的一些概述,SSR到那时似乎毫无意义。
What is the better approach to this? 有什么更好的方法呢? Something that's secure and practical? 安全和实用的东西吗?
Edit: I would highly appreciate a comment describing the reason for downvoting.
1 个解决方案
解决方案1
2 2018-01-02 05:47:48
HTTP is stateless. HTTP是无状态的。 You need to associate the client to the server somehow. 您需要以某种方式将客户端与服务器关联。 The old standard method that assumes the client is dumb uses cookies for this association, which browsers automatically pass for you. 假定客户端是愚蠢的旧标准方法使用cookie进行此关联,浏览器会自动为您传递。 It's still overall the most secure way of keeping the session - over HTTPs. 总体而言,它仍然是通过HTTP保持会话的最安全方式。
If you don't like cookies and you assume a smart client that can run code, then use tokens - preferably JWTs and place them in localstorage. 如果您不喜欢Cookie,并且假定您可以运行代码的智能客户端,则可以使用令牌-最好是JWT,并将其放在本地存储中。 Ensure you are running over HTTPs of course, and you still have to guard against XSS attacks. 当然,请确保您正在通过HTTP运行,并且仍然必须防范XSS攻击。
That's all there is to it - head over to security.stackexchange.com to learn why trying anything custom is a bad idea. 这就是全部内容-前往security.stackexchange.com了解为什么尝试任何自定义都是一个坏主意。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.