问题
Suppose we have two users doing following operation -
- User1 requested to the auth server for access token and granted also.
- Now user1 save the token into localstorage/cookie for future api access.
- Now User2 approach User1 browswer and get the access_token some how.
- Now User2 call the api using user1's access_token and get the access too without login.
Now Can we validate the token anyhow?
回答1:
You can't avoid that happening. However, the token should have an expiration time, so the attacker will only have access during that time. Also, if you know that a token has been stolen, you can revoke it so it's no longer valid.
You could apply more security measures such as associating the token with a specific IP address, or some advanced services that even use machine learning to detect unusual behaviours.
回答2:
Confidential information such as an OAuth Token should never be stored in HTTP Cookies unless encrypted. The encryption should be client / session specific meaning that a different encryption key should be used for each client session. If an intruder were to extract the encrypted cookie and attempt to use it for a different session the decryption would fail rendering the cookie invalid.
In your scenario, User B obtains access to User A's session. There is not much protection available. This would be similar to you logging into your bank, leaving your desk for coffee and someone else sits down and starts transferring money using the same browser window that you logged into.
Security is only as strong as the weakest link. Each component must implement strong security. If a single component can be breached, then the other security components might also fail.
There is a tradeoff between very tight security and convenience. Human beings tend to sacrifice security if the processes are too tedious or too difficult or just plain get in the way.
My bank does something interesting. Once I login and keep doing stuff (clicking links, moving the mouse, etc.) I stay authenticated. If I pause for one minute, then the next time I click a link I must reauthenticate. Interesting strategy to detect a person who might have left his desk unattended.
来源:https://stackoverflow.com/questions/53955977/how-to-prevent-token-substitution-attack