我希望几个相关网络应用的客户端拥有自己的身份验证状态。这提高了可伸缩性,因为不需要群集节点之间的会话复制。它使得Java Servlets和PHP等不同服务器技术的集成变得更加容易。
I want the clients of several related web apps to hold their own authentication state. This improves scalability, because no session replication between cluster nodes is needed. And it makes integration of different server technologies like Java Servlets and PHP easier.
- 设置一个带签名和加密的cookie客户端身份验证后的用户名和会话到期时间。
- 当客户端发送请求时,服务器会解密并验证cookie并根据cookie值授予或拒绝访问权限。
- 会话过期将通过重置cookie来更新。
All servers that want to use the session have only to know the cookie mechanism and the decryption key. See also: Session state in the client tier
这种方法可以吗?是否可以将它集成到servlet容器/应用程序服务器中,以便它对应用程序透明?例如,servlet应该能够使用HttpServletRequest#getRemoteUser()。这可能吗?或者我是否需要像Spring Security这样的容器级别以上的东西?是否有任何现有的客户端会话管理库?
Is this approach ok? Would it be possible to integrate it into a servlet container / application Server so that it is transparent to the applications? A servlet should be able to use HttpServletRequest#getRemoteUser() for example. Is this possible? Or would I need something above the container level like Spring Security? Are there any existing libraries for client side session management?
Not a good idea. Storing vital data like session expiry and user name entirely on client side is too dangerous IMO, encrypted or not. Even if the concept is technically safe in itself (I can't answer that in depth, I'm no encryption expert), a break-in could be facilitated without compromising your server, just by acquiring your encryption key.
Somebody who gets hold of the key could generate session cookies at will, impersonating any user for any length of time, something the classical session concept is designed to prevent.
There are better and scalable solutions for this problem. Why not, for instance, set up a central session verification instance that all associated servers and services can poll? Look around on the web, I am 100% sure there are ready-made solutions addressing your needs.