问题
If we get token from the rest server and use AuthorizationToken header in every request for authorization, we still need to keep it when the browser's page is closed.
The only universal way to do it is to put the token to cookies. But in such way even if the cookies are not used for authentication, they can be stolen by XSS. And we can't use httpOnly flag. So:
Are there any other specific ways to protect the token and keep it safe?
If HTTPS is used during the whole session and the cookies with token were stolen, is it possible to hijack the https session with a token?
回答1:
My answer is perhaps a bit naive but why not store the token in the persistence storage of your browser. If you use Angular, with code as describe below:
function((...), $window) {
(...)
$window.sessionStorage['userToken'] = '<user-token>';
}
I don't really see other approaches (exception cookies) to keep such hints when the browser's page is closed.
The problem with cookies is that your client needs to be a browser to leverage this feature transparently... Moreover it's really not the better approach for authentication within RESTful services ;-)
You can combine this with a mechanism of security tokens with an expiration date and the ability to refresh them, as described in the following link: https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/.
In addition, you can use JS framework like Angular that provides solutions to XSS. See the following links for example:
- http://java.dzone.com/articles/angularjs-how-handle-xss
- angularjs + cross-site scripting preventing
Hope it provides some hints to your issue, Thierry
来源:https://stackoverflow.com/questions/28855554/is-there-any-safe-way-to-keep-rest-auth-token-on-the-client-side-for-spa