基于表单的身份验证和基于令牌的身份验证之间的区别 [英] Difference between Forms based authentication and Token based Authetication
问题描述
如何确定用于身份验证的身份验证. (例如:基于表单的身份验证或基于令牌的身份验证).
How to decide which authentication to use for authentication. (Ex: Forms based Authentication or Token Based Authentication).
使用基于令牌的身份验证而不是基于表单/会话/cookie的身份验证有什么好处.我已经在线阅读了多篇文章,但仍不清楚.
What are the merits of using Token based Authentication over forms/session/cookie based authetication. I have read multiple articles online but still unclear.
任何人都可以解释一下如何在网络和移动平台的这两者之间进行选择 用户身份验证.
Can anyone explain me how to choose between these two for web and mobile platform user authentication.
推荐答案
JWT更好,除非您有我不知道的特定需求.
JWT is better unless you have a specific need that I'm not aware of.
会话需要cookie,并且cookie仅在浏览器中有效 JWT:本质上是JSON格式的数据,因此您可以在不同的平台上使用它.
Session requires cookies and cookies only works in the browser JWT: essentially, data in JSON format so you can work with it in different platform.
此外,JWT的安全性更高.如果您使用cookie作为持久身份验证机制,则可能会遭受CSRF攻击.黑客可以诱骗受害者进入他的网站,然后单击某些按钮,由于每个请求都会自动发送cookie,因此他的请求将作为受害者发送.
Also, JWT is more secured. You would be vulnerable to CSRF attacks if you're using cookies as a persistent authentication mechanism. A hacker can trick the victim into his website and click something buttons and his request would be sent as the victim because cookies are sent automatically with each request.
使用JWT,您可以将其存储在任何存储设备中,即:用于台式机的localStorage. JWT会手动发送您的每个请求.因此上述情况不会发生.
With JWT, you can store it in whatever your storage is, i.e: localStorage for desktop. JWT is mannually send with each request from you. So the above scenario won't happen.
黑客可以在localStorage中修改您的JWT并添加更多声明,即:将用户类型从用户"更改为管理员",不!它需要一些只有服务器才有的私钥.您可以尝试Auth0并在jwt.io中对其进行测试.
Can a hacker modify your JWT in localStorage and add more claims, i.e: change the user type from 'user' to 'admin', nope!. It requires some private key which only the server has. You can try Auth0 and test it out in jwt.io.
这些是关键点,imo.还有其他好处,但您可以通过Google轻松找到.
Those are the key points, imo. There are other benefits but you can easily find out via google.
这篇关于基于表单的身份验证和基于令牌的身份验证之间的区别的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
