问题描述
从概念上讲,我非常喜欢JWT,因为它符合REST等的无状态(无状态保存在服务器端,所有相关数据都包含在令牌中).
Conceptually, I really like JWT as it is in line with the statelessness of REST etc (no state saved server-side, all relevant data is contained in the token).
我不确定的是:未连接时如何处理令牌到期(即记住我"功能)?
What I am unsure about: how would you handle token expiry when not connected (ie, a "remember me" functionality)?
Web上已经出现了有关JWT的新兴报道,但是我还没有找到回答到期问题的人.
There's an emerging coverage of JWT on the web, but I couldn't find anyone that answered the expiry question yet.
说明:我不是在问如何处理即将过期的令牌,而是要问令牌已过期(用户关闭网站/应用一段时间)时该怎么做.我想到的最简单的解决方案是缓存用户的凭据,这是相当不安全的.
Clarification: I am not asking how to handle a token soon-to-expire, but what to do when a token has already expired (user closed website/app for a while). The simplest solution that comes to my mind is caching the user's credentials, which is rather insecure.
推荐答案
我不确定我是否遵循,但是我会写出我的想法.
I am not so sure if I follow but I will write what I think.
想象一下,将令牌作为酒店卡,您需要提前5天付款(请记住,我将设置为5天到期).我可以在这5天内进入建筑物,车库,房间等,在这5天内将无法使用.
Imagine the token as a hotel card, you pay in advance for 5 days (remember me set to expire on 5 days). I can enter the building, garage, room, etc. within those 5 days, after those 5 days, it won't work anymore.
令牌已过期怎么办?没事.
What to do when token has already expired? Nothing at all.
想象一下,我花了那5天的时间,嗯,我很紧急,然后回家(口袋里有卡).该酒店根本不在乎,经过5天后,该卡只是一块无用的塑料,如果您尝试在酒店上使用它,它将无济于事.
Imagine I pay those 5 days and meh, I had an urgency and I go back home (with the card on the pocket). The hotel doesn't care at all, when the 5 days pass, the card is just an useless piece of plastic and if you try to use it on the hotel, it will do nothing.
回到Web开发.如果您提供记住我"服务,则可以将有效期设置为7天.只要用户拥有令牌,他就可以毫无问题地访问服务.如果他丢失了令牌,则需要再次登录.如果他使用令牌并且令牌已经过期,那么他也需要再次登录.
So back to web development. If you offer a remember me service, you can put an expiry date to let's say 7 days. As long as the user has the token, he can access the service without any problem. If he loses the token, he needs to login again. If he uses the token and it have expired, he will need to login again too.
如果他登录,他将获得7天的令牌,如果他不再使用令牌,则在20天后再次出现时,他将需要再次登录,服务器将拒绝您的请愿书,直到您这样做为止.
If he login, he gets a token for 7 days, if he doesn't use it anymore and after 20 days he comes again, he would need to login again, the server will just decline your petitions until you do so.
如果您在前端使用诸如angular的功能,我会做的是在启动时检查令牌验证,从而获得良好的用户体验.
What I would do if you use something like angular on the frontend is to check the token validation on startup so you can have a nice user experience.
我对您的问题不了解的是缓存内容.
What I don't understand about your question is de caching thing though.
这篇关于处理到期/“记住我". JWT的功能的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!