Is there any safe way to keep rest auth token on t

2019-02-25 09:58发布

站内问答 / 后端开发
753 1 6

If we get token from the rest server and use AuthorizationToken header in every request for authorization, we still need to keep it when the browser's page is closed.

The only universal way to do it is to put the token to cookies. But in such way even if the cookies are not used for authentication, they can be stolen by XSS. And we can't use httpOnly flag. So:

  1. Are there any other specific ways to protect the token and keep it safe?

  2. If HTTPS is used during the whole session and the cookies with token were stolen, is it possible to hijack the https session with a token?

1条回答
Luminary・发光体
2楼-- · 2019-02-25 10:49

My answer is perhaps a bit naive but why not store the token in the persistence storage of your browser. If you use Angular, with code as describe below:

function((...), $window) {
    (...)
    $window.sessionStorage['userToken'] = '<user-token>';
}

I don't really see other approaches (exception cookies) to keep such hints when the browser's page is closed.

The problem with cookies is that your client needs to be a browser to leverage this feature transparently... Moreover it's really not the better approach for authentication within RESTful services ;-)

You can combine this with a mechanism of security tokens with an expiration date and the ability to refresh them, as described in the following link: https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/.

In addition, you can use JS framework like Angular that provides solutions to XSS. See the following links for example:

Hope it provides some hints to your issue, Thierry

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)