[英]React and storing jwt token in localstorage
I just recently started using jwt in a react+express app and came across the issue of where to store the jwt token.我最近刚开始在 react+express 应用程序中使用 jwt,遇到了存储 jwt 令牌的位置的问题。 It seems like the two major options are localStorage and cookies with both being venerable to various attacks (XSS and CRSF).似乎两个主要选项是 localStorage 和 cookies,它们都容易受到各种攻击(XSS 和 CRSF)。
But i found that react is supposedly XSS safe ( What does it mean when they say React is XSS protected? ) so is it okay to use localStorage to store the jwt?但是我发现 react 应该是 XSS 安全的( 当他们说 React 受 XSS 保护时是什么意思? )那么可以使用 localStorage 来存储 jwt 吗? If not whats the industry standard for this?如果不是这个的行业标准是什么?
Both cookies and localStorage can be acceptable options, and both are used by many apps. cookies 和 localStorage 都是可接受的选项,并且都被许多应用程序使用。 You need to be aware of their pros and cons and choose what fits your usecase the best.您需要了解它们的优缺点,并选择最适合您的用例的。
Cookies Cookies
httpOnly
, so javascript will not have access.可以设置为httpOnly
,所以 javascript 将无权访问。 This makes it impossible to access the token in an XSS attack.这使得在 XSS 攻击中无法访问令牌。 Note that this does not mean the app is not vulnerable to XSS .请注意,这并不意味着该应用程序不受 XSS 攻击。 This only means then even in case of a successful XSS attack, the token will not be accessible to the attacker.这仅意味着即使在 XSS 攻击成功的情况下,攻击者也无法访问令牌。httpOnly
cookie.在这种情况下,短期访问令牌通常存储在 localStorage 中,并在httpOnly
cookie 中为身份提供者域设置一个长期刷新令牌。localStorage本地存储
React being "XSS safe"反应是“XSS 安全”
It's not.它不是。 It's probably harder for a developer to make it vulnerable, but any medium complexity React app will most likely have XSS vulnerabilities.开发人员可能更难使其易受攻击,但任何中等复杂性的 React 应用程序都极有可能存在 XSS 漏洞。 React is in no way immune to different forms of XSS. React 绝不会不受 XSS 的不同 forms 的影响。 As long as developers have a multitude of options to insert user input into the DOM, there will be XSS, because sometimes it's the easiest to solve problems that way to "make it work".只要开发人员有多种选项可以将用户输入插入 DOM,就会出现 XSS,因为有时以“使其工作”的方式解决问题是最容易的。 Content-Security-Policy
might help somewhat in modern browsers if feasible in your app.如果在您的应用中可行, Content-Security-Policy
在现代浏览器中可能会有所帮助。 It's true though that React is pretty secure by default, meaning that usually it will just be ok.尽管默认情况下 React 是非常安全的,但这确实是事实,这意味着通常它会没事的。 That's a fairly standard requirement of any modern framework now, and it does not mean XSS in React is not possible.这是现在任何现代框架的一个相当标准的要求,这并不意味着 React 中的 XSS 是不可能的。 It is.这是。
Ultimately , a session id stored in a httpOnly
cookie (with correctly implemented session management, eg. as provided by your language or framework) is the most secure in general , followed by a token in a httpOnly
cookie, but it also depends on your threat model and the exact usecase.最终,存储在httpOnly
cookie 中的 session id (正确实施 session 管理,例如,由您的语言或框架提供)通常是最安全的,其次是httpOnly
cookie 中的令牌,但这也取决于您的威胁model 和确切的用例。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.