JWT(json网络令牌)可以完全取代Session吗? [英] Could JWT(json web token) totally replace Session?
问题描述
我知道JWT可以用来代替基于cookie/会话的身份验证,我们在上一个项目中使用了它,并且我知道使用JWT有很多好处,例如无状态,CDN支持,避免csrf攻击,更好地支持集群ENV等.
I know that JWT could be used to replace the cookie/session based authentication, and we used that in the previous project, and I understand that using JWT has a lot of benefit such as stateless, CDN support, avoid csrf attack, better to support cluster ENV etc.
但是,我对JWT是否可以完全取代Session感到非常困惑.如果我们想充分利用JWT来保留所有会话状态,那么这意味着服务器后端无论何时要向会话中添加任何状态,而不是这样做,服务器端都必须使用该信息和客户端重新生成一个新令牌.一方必须更新新生成的令牌,我怀疑这是否是正确的方法?
However, I'm very confused on whether JWT could totally replace Session? If we want to fully leverage JWT to keep all the session state, then it means that anytime the server backend want to add any state into session, instead of doing that, the serverside have to re-generate a new token with that info and client side have to update the newly generated token, I doubt whether it's the right way or not?
如果我们仅利用JWT来支持身份验证并仅保留用户凭证信息,尽管身份验证服务可以作为独立的微服务解耦,但是如果我们想要,会话对于业务服务后端仍然是必需的保持一些会话状态,对不对?在阅读Spring文档时,建议利用Redis保存会话状态以支持集群环境.
And if we only leverage JWT to support the authentication and keep only user credential info, although the authentication service could be de-coupled as the standalone micro service, the session would still be necessary for the business service backend if we want to keep some session state, right? While reading spring document, it recommend to leverage Redis to save session state to support cluster env.
总的来说,我对于是否可以使用JWT完全替代会话感到非常困惑?
Overall, I'm very confused on whether JWT could be used to fully replace session or not?
非常感谢.
推荐答案
(这还不是答案.只是到目前为止收集到的一些信息.我有完全相同的问题.当有问题时,我会将其更改为答案我彻底解决了这个问题.)
(This is not an answer yet. Just some info I have collected so far. I am having exactly the same question. I will change it to an answer when I thoroughly solve this question.)
到目前为止,我认为就身份验证而言,JWT可以用来代替session + cookie.但是会话不仅仅用于身份验证,它实际上还用于特定于用户的数据存储.考虑到JWT的大小限制,我不确定JWT是否可以为此目的替换会话. 恕我直言,身份验证只是会话的一种使用情况,因为此类信息必须是特定于用户的.
So far, I think JWT can be used to replace session+cookie as far as authentication is concerned. But session is not just used for authentication, it is actually more meant for a user-specific data storage. I am not sure if JWT can replace session for that purpose given JWT's size limit (described below). And IMHO, authentication just happened to be one of the use cases of session since such info must be user-specific.
如果使用JWT代替服务器端会话,则可能会将JWT存储为HTTP标头.而且更有可能作为Cookie(请参见标题的大小限制和4K.如果您要进行服务器端会话,那么我认为这种限制是不存在的.
If you use JWT in place of server side session, you probably will store the JWT as HTTP header. And more likely, as a Cookie (see here). But there's some size limit on the header and 4K for cookie. If you go with server side session, I don't think such limit exists.
文章列出了一些内容JWT的警告.
And this article list some caveats of JWT.
添加1
下面是一个类似的线程,询问JWT是否可以完全取代会话存储. 我刚刚在此处添加了更多答案.请看一下.
And below is a similar thread questioning whether JWT can totally replace session storage. I just added some more answer there. Please do take a look.
我是否需要使用JSON Web令牌令牌的会话存储?为什么不只使用cookie?
ADD 2
如果我们将JWT作为cookie存储为上面的第一个链接,不是
If we store JWT as cookie as my first link above, isn't it a re-implementation of signed-cookie?
答案在这里:我们是否将JWT存储为cookie?
还有我的另一个问题:基于令牌的身份验证和可伸缩性?错觉?
And another question of mine: Token based authentication and scalability? An illusion?
这篇关于JWT(json网络令牌)可以完全取代Session吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
