为什么Google的OAuth2文档建议将个人资料ID存储在cookie中?

huangapple go评论87阅读模式
英文:

Why does Google's OAuth2 documentation recommend storing a profile ID in a cookie?

问题

Google的Go语言OAuth2文档,标题为“使用Go进行用户身份验证”,涉及一个书架示例应用程序,建议将配置文件信息存储在cookie中。例如,可以查看profileFromSession()函数,也可以在GitHub上找到链接。该文档表示:“由于配置文件信息存储在会话中,应用程序可以在不再从Google+ API获取的情况下检索它”。它存储了Google+的ID和DisplayName(通过plus.Person.ID和plus.Person.DisplayName)。

但这不是一种糟糕的做法吗?这不会让客户端轻易伪造用户配置文件,只需在cookie中放入不同的用户ID就可以访问任何用户在您的应用程序中的数据吗?

在从cookie中获取配置文件时,首先检查令牌是否有效,但这只是在本地检查令牌结构是否包含访问令牌以及是否已过期,而没有与Google服务器进行任何通信。客户端肯定可以构造一个带有任意配置文件ID的伪造cookie。该cookie是加密的(参见http://www.gorillatoolkit.org/pkg/sessions#NewCookieStore),但只是对称加密,使得加密密钥成为此攻击的唯一障碍。

Google的等效Java OAuth2文档似乎也是这样做的。

我是否误解了什么?我无法相信Google的文档会推荐如此不安全的做法。

英文:

Google's OAuth2 documentation for Go, titled "Authenticating Users with Go" and involving a bookshelf example application, suggests storing the profile information in a cookie. See, for instance, the profileFromSession() function, also visible in GitHub. That documentation says "Because the profile information is stored in the session, it can be retrieved by the application without fetching it again from the Google+ API". It stores the Google+ ID and DisplayName (via the plus.Person.ID and plus.Person.DisplayName).

But isn't that bad practice? Doesn't it make it easy for clients to fake the user profile, letting them access any user's data in your application by just putting a different user ID in the cookie?

When getting the profile from the cookie, it first checks if the token is valid, but that only checks locally if the token struct contains an access token and if it has expired, without any communication with Google's servers. Surely it would be possible for a client to construct a fake cookie with an arbitrary profile ID. The cookie is encrypted (see http://www.gorillatoolkit.org/pkg/sessions#NewCookieStore ), but only symmetrically, making the encryption key the only obstacle to this attack.

Google's equivalent Java OAuth2 documentation seems to do the same thing.

Have I misunderstood something? I can't believe that Google's documentation would recommend something so insecure.

答案1

得分: 1

示例使用HMAC来防止Cookie伪造。

更多细节:该示例使用Gorilla的securecookie包来访问Cookie。这个securecookie包使用crypto/hmac包来对Cookie进行签名和验证。

如果Cookie通过HTTPS发送,那么第三方就无法窃取Cookie。

securecookie包的加密功能在防止Cookie伪造或窃取方面不起作用。

英文:

The example uses HMAC to prevent cookie forgery.

More details: The example use Gorilla's securecookie package to access cookies. This securecookie package uses the crypto/hmac package to sign and verify cookies.

If the cookies are sent over a HTTPS, then a third party cannot steal a cookie.

The securecookie package's encryption feature plays no role in preventing forgery or theft of the cookies.

huangapple
  • 本文由 发表于 2017年9月7日 17:10:31
  • 转载请务必保留本文链接:https://go.coder-hub.com/46092368.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定