JSON Web令牌(JWT)优于数据库会话令牌 [英] JSON Web Token (JWT) benefits over a database session token
问题描述
在数据库会话令牌系统中,我可以使用用户名/密码进行用户登录,服务器可以生成令牌(例如uuid)并将其存储在数据库中并将该令牌返回给客户端.随之而来的每个请求都将包含令牌,服务器将查询令牌是否有效以及令牌属于哪个用户.
With a database session token system I could have a user login with a username/password, the server could generate a token (a uuid for example) and store it in the database and return that token to the client. Every request from thereon would include the token and the server would look up whether the token is valid and what user it belongs to.
使用JWT,由于保留在服务器上的密钥和客户端随每个请求保留并发送的已签名令牌的组合,因此无需就会话/令牌将任何内容保存到数据库.
Using JWT there would be no need to save anything to the database with respect to session/tokens thanks to the combination of the secret key kept on the server and the signed token the client keeps and sends with every request.
这很好,但是除了保存数据库检查每个请求之外(因为它只是检查一个哈希表,所以无论如何都会很快),我不清楚使用JWT有什么好处.熟悉此事的人可以解释一下吗? 让我们忽略cookie,它是如上所述的数据库定制令牌和JWT,我正在尝试比较并了解其优势.
This is good but besides saving a database check each request (which would be fast anyway since it's just checking a hash table) it's not clear to me what the advantages are of using JWT. Can you anyone familiar with this explain? Let's ignore cookies, it's specifically a database custom token as described above and JWT that I am trying to compare and understand the benefits.
推荐答案
主要区别在于会话存储大小和服务器所需的查找工作:
The main difference is the session storage size and lookup work required from the server:
-
在服务器端,JWT将单个密钥存储在内存(或配置文件)中,称为秘密密钥.该密钥有两个用途,它可以创建新的加密令牌,还可以像打开所有锁"的主密钥那样工作,或者在现实生活中验证所有令牌. 结果,服务器对身份验证请求的响应速度更快,因为您是否登录了两个或两百万个用户都没有关系-相同数量的记录(一个,即服务器密钥)将用于对所有客户端请求进行身份验证.
On the server side, JWT stores a single key in memory (or in config file) - called secret key. That key has two purposes, it enables creating new encrypted tokens and it also functions like a master key that "opens all locks"- or in real life verifies all tokens. As a result the server responds much faster to auth requests, because it doesn't matter if you have two or two million users logged in - the same number of records (one, that server key) will be used to authenticate all client requests.
将用户会话存储在数据库中的传统身份验证,在数据库中为每个单个用户创建一条记录,从而产生多个密钥. 因此,如果您有200万用户登录,则服务器将创建200万条记录,并且随着每个客户端请求,服务器需要在数据库中找到相关的会话记录*.
Traditional authentication that stores user sessions in a database, creates a record in the db for every single user, which results in multiple keys. So if you have two million users logged in, the server will create two million records and with each client request the server needs to locate the relevant session record in the database*.
JWT将其留给客户端来存储和处理整个会话/用户对象.实际上,这更有意义,因为每个客户端仅处理自己的数据,因此也不会给客户端带来沉重负担.
JWT leaves it up to the client side to store and handle the entire session/user object. It actually makes much more sense because every client handles their own data only, so it doesn't cause heavy lifting for the client side either.
关于您在上一段中写的内容,我们保存在这里的不仅是数据库调用. JWT实际上具有更高的可扩展性,因为它具有独立性和轻量级的特性,它不会因身份验证请求堆积而失败,并且它允许服务器处理跨设备和服务的身份验证,而无需在服务器端管理会话.
As for what you wrote in your last paragraph, it's not just db calls that we save here. JWT is actually much more scalable because of its independent and lightweight nature, it doesn't fail as auth requests pile up and it allows the server to handle auth accross devices and services without managing sessions on the server side.
从安全性角度来看,数据库会话可以说是占上风的:由于该延迟,它们可以更安全,并且在用户注销后也不太容易受到会话劫持.
Security wise though, db sessions arguably have the upper hand: they can be more secure because of that latency, and are also less vulnerable to session hijacking after user logout.
*可以通过有效的缓存和仅将会话ID(而不是整个用户对象)存储在快速键/值服务器(例如Redis)中来优化db存储的会话方法.也就是说,在大多数情况下,我仍然会选择JWT方法而不是db.
*The db stored sessions method can be optimized with effective caching and by storing only the session id (as opposed to the entire user object) in a fast key/value server such as Redis. That said, I would still choose JWT method over db for most cases.
这篇关于JSON Web令牌(JWT)优于数据库会话令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
