堆栈内存溢出
  简体   繁体   English

vue jwt令牌存储

[英]vue jwt token storage

 原文  2018-12-05 11:40:30       security/ vue.js/ jwt

问题描述

I am following vue course on udemy and have looked at several online resources and they all seem to have a process where i send username and password to my api and it returns my jwt access token. 我正在上关于udemy的vue课程,并查看了几个在线资源,而且它们似乎都具有将我的用户名和密码发送到api并返回我的jwt访问令牌的过程。 Then the token is stored in state (using vuex) and to support page refreshes(and keeping user logged in) it also saves jwt token to local storage. 然后将令牌存储在状态中(使用vuex)并支持页面刷新(并保持用户登录状态),还将jwt令牌保存到本地存储中。

As i am not using cookies my understanding is that i dont have to worry about csrf. 因为我不使用cookie,所以我的理解是我不必担心csrf。

OWASP advises against storing tokens in local storage (mainly i believe due the xss vunerabilities that exist). OWASP建议不要将令牌存储在本地存储中(主要是我相信由于存在xss漏洞)。 authO website ( https://auth0.com/docs/security/store-tokens ) says i should store in memory(eg like im doing with vuex). authO网站( https://auth0.com/docs/security/store-tokens )说我应该存储在内存中(例如,就像我对vuex所做的那样)。

How can i follow the advice of not using local storage and also ensure that if user refreshes page that they are still logged in (without cookies) or is this not going to be possible. 我该如何遵循不使用本地存储的建议,并确保用户刷新页面后仍然登录(没有cookie),或者这将无法实现。

1 个解决方案

解决方案1
 0  2018-12-05 12:30:04

First of all, I'm not a security expert. 首先,我不是安全专家。 If your company has a security officer or so you might want to discuss the matter there as well. 如果您的公司有一名安全官员,那么您可能也要在那里讨论此事。

OWASP states you should not store sensitive information in localStorage (or WebSQL/IndexDb). OWASP指出您不应将敏感信息存储在localStorage(或WebSQL / IndexDb)中。 But I think you should balance your options. 但是我认为您应该平衡选择。 If it is OK that the user needs to login every time because of some really sensitive information, you might get away with sessionStorage or keep the token in memory. 如果由于某些真正敏感的信息而使用户每次都需要登录是可以的,则您可以放弃sessionStorage或将令牌保留在内存中。 Otherwise, just go with localStorage. 否则,只需使用localStorage。 As an example: Hit F12 and look at what SO is using: LocalStorage. 例如:打F12并查看SO正在使用什么:LocalStorage。

There's also a nice answer on the matter at Security StackExchange Security StackExchange对此问题也有很好的答案

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 JWT令牌存储 - JWT Token Storage Angular JS中的JWT令牌存储 - JWT Token Storage in Angular JS 卸载shopify公共应用程序后,从本地存储中删除jwt令牌 - Removing jwt token from local storage once shopify public app is uninstalled 在哪里存储 JWT 令牌? - Where to store a JWT token? JWT作为邮件验证令牌 - JWT as mail verification token JWT有效负载内的令牌 - Token inside JWT payload 通过 JWT 令牌识别用户? - Identifying user by JWT Token? JWT 刷新令牌流 - JWT refresh token flow 如何验证 JWT 令牌 - How to validate a JWT token JWT令牌SSO流程 - JWT token SSO flow
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM