问题
I understand from security perspective the concept of an httponly flag for the value of Set-Cookie Response header and preventing XSS attacks.
What I do not understand is, what is ServiceStack doing with the "ss-tok" cookie that saves the bearerToken.
According to ServiceStack documentation I can convert to a stateless session by issuing a stateless JWT Cookie like so:
var authResponse = client.Send(new Authenticate {
provider = "credentials",
UserName = username,
Password = password,
UseTokenCookie = true
});
The UseTokenCookie is set to true. And the httponly "ss-tok" cookie is created upon successful authentication.
Yet I cannot seem to use this token cookie, stored with the name "ss-tok", for anything. I cannot retrieve it with Javascript obviously and I cannot seem to get it to be sent in JsonServiceClient requests.
My ServiceStack resource microservices do not ever receive the value of "ss-tok" in any secure request. I have to explicitly set the bearerToken for any secure request.
I have to explicitly pass the bearerToken or refreshToken with my JsonServiceClient as stated in the ServiceStack documentation on this matter.
I must be doing something wrong, I thought this documentation was the part I was missing, this code here:
var client = new JsonServiceClient(baseUrl);
client.SetCookie("ss-tok", jwtToken);
But this code makes no sense actually, since the value of "ss-tok" is not being sent to my resource microservices, I have to explicitly set bearerToken value like I said earlier:
var client = new JsonServiceClient(baseUrl);
client.bearerToken = jwtToken;
This means I will have to store jwtToken in my own cookie value because my app will need to create multiple instances of JsonServiceClient in different areas of the app.
回答1:
It is the Cookie that holds the JWT Token which does get sent on subsequent requests like any other Cookie.
来源:https://stackoverflow.com/questions/47419921/what-is-the-point-of-the-httponly-ss-tok-bearertoken-cookie-in-servicestack-auth