问题描述
从安全角度来看,我理解Set-Cookie Response标头值的httponly标志的概念,并防止XSS攻击.
我不明白的是,ServiceStack在使用"ss-tok" cookie来保存BearerToken的时候在做什么.
根据 ServiceStack文档通过发出无状态的JWT Cookie,我可以转换为无状态的会话,如下所示:
var authResponse = client.Send(new Authenticate {
provider = "credentials",
UserName = username,
Password = password,
UseTokenCookie = true
});
UseTokenCookie设置为true.成功验证后,就会创建httponly"ss-tok" cookie.
但是,我似乎无法将这个以名称"ss-tok"存储的令牌cookie用作任何东西.我显然无法使用Javascript检索它,而且似乎无法在JsonServiceClient请求中将其发送.
我的ServiceStack资源微服务从未在任何安全请求中收到"ss-tok"的值.我必须为任何安全请求显式设置bearerToken.
我必须按照有关此问题的ServiceStack文档.
我肯定做错了事,我认为这份文档是我缺少的部分,此代码在这里:
var client = new JsonServiceClient(baseUrl);
client.SetCookie("ss-tok", jwtToken);
但是这段代码实际上没有任何意义,因为"ss-tok"的值没有发送到我的资源微服务,所以我必须像我之前所说的那样显式设置bearerToken值:
var client = new JsonServiceClient(baseUrl);
client.bearerToken = jwtToken;
这意味着我将不得不将jwtToken存储在自己的cookie值中,因为我的应用程序需要在应用程序的不同区域中创建多个JsonServiceClient实例.
是保存JWT令牌的Cookie,它会收到后续请求.
I understand from security perspective the concept of an httponly flag for the value of Set-Cookie Response header and preventing XSS attacks.
What I do not understand is, what is ServiceStack doing with the "ss-tok" cookie that saves the bearerToken.
According to ServiceStack documentation I can convert to a stateless session by issuing a stateless JWT Cookie like so:
var authResponse = client.Send(new Authenticate {
provider = "credentials",
UserName = username,
Password = password,
UseTokenCookie = true
});
The UseTokenCookie is set to true. And the httponly "ss-tok" cookie is created upon successful authentication.
Yet I cannot seem to use this token cookie, stored with the name "ss-tok", for anything. I cannot retrieve it with Javascript obviously and I cannot seem to get it to be sent in JsonServiceClient requests.
My ServiceStack resource microservices do not ever receive the value of "ss-tok" in any secure request. I have to explicitly set the bearerToken for any secure request.
I have to explicitly pass the bearerToken or refreshToken with my JsonServiceClient as stated in the ServiceStack documentation on this matter.
I must be doing something wrong, I thought this documentation was the part I was missing, this code here:
var client = new JsonServiceClient(baseUrl);
client.SetCookie("ss-tok", jwtToken);
But this code makes no sense actually, since the value of "ss-tok" is not being sent to my resource microservices, I have to explicitly set bearerToken value like I said earlier:
var client = new JsonServiceClient(baseUrl);
client.bearerToken = jwtToken;
This means I will have to store jwtToken in my own cookie value because my app will need to create multiple instances of JsonServiceClient in different areas of the app.
It is the Cookie that holds the JWT Token which does get sent on subsequent requests like any other Cookie.
这篇关于ServiceStack身份验证中httponly ss-tok bearerToken cookie的意义是什么的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!