问题描述
我仍然无法理解是什么智威汤逊
的主要目的。至于我的唯一目的是:
I still cannot understand what is the main purpose of JWT
. As for me the only purposes are:
- 要克服
CSRF
- ,并确保更好的移动支持(因为在某些情况下,移动应用唐吨支持Cookies)。
也有一个声称与智威汤逊
你不必担心在服务器端会话存储。这是我不清楚。怎么会智威汤逊
完全取代服务器端的会话存储?这是否意味着我们把所有的会话数据到智威汤逊
,对它进行加密并将其发送给客户端上的每一个反应?但即便如此,这是否意味着由服务器发出将根据我们用于会话存储数据更改令牌?当我明白,prevent我们使用的cookie这样(没有在服务器端会话存储)的唯一事情就是在cookie文件的大小限制 - 只有 4KB
Also there is a claim that with JWT
you don't have to worry about session storage on the server side. This is not clear to me. How could JWT
completely replace session storage on the server side? Does this mean that we put all session data into the JWT
, encrypt it and send it to client on every response? But if so, does that mean the token that is issued by server will change depending on the data which we used to store in session? And as i understand the only thing that prevent us from using cookie this way(without session storage on the server side) is the size limit on cookie files - only 4kb
.
另外我们还需要使用 SSL
来prevent会话劫持?
请告诉我,如果我的理解是正确的,或有其他一些方面。
Also do we still need to use SSL
to prevent session hijacking?Please tell me if my understanding is right or there is some other aspects.
推荐答案
在本身JWTs只是自包含的令牌,不提供CSRF保护。用于递送JWT的协议可以(或应当)提供手段prevent CSRF
JWTs in itself are just self-contained tokens and don't provide CSRF protection. The protocol used to deliver the JWT may (or should) provide means to prevent CSRF.
一个领域JWTs显着高于曲奇更好是他们的跨域能力。你可以阅读更多关于此令牌和饼干之间的比较:的
One area where JWTs are notably "better" than cookies is their cross-domain capability. You can read more on the comparison between tokens and cookies here: https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/
JWTs可以自足,以便他们有你在一个可核查的容器,这将使你使用它们,而不将其存储(或引用它们)需要的所有信息。但也有可能是你在这么避免一般会话存储会话需要更多的数据是不是一个理由本身转移到JWTs。
JWTs can be self-contained so they have all the information that you need in a verifiable container that would enable you to use them without storing them (or a reference to them). But there may be more data that you need in a session so avoiding session storage in general is not a reason in itself for moving to JWTs.
SSL需要确保prevent令牌泄漏和会话劫持。
SSL is required for sure to prevent token leakage and session hijacking.
这篇关于我需要使用JSON网络令牌令牌会话存储?为什么不使用cookies吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!