注销无状态应用程序 [英] log out a stateless app
问题描述
这是我的项目结构
- 用户界面:AngularJS 应用
- 后端:Java + MongoDB 无状态应用
UI 对给定用户进行身份验证,REST api 使用 JWT 令牌进行响应.对于每个后续请求,REST api 需要标头中的令牌,如果不存在,则返回 Unautorized 错误.
The UI authenticates a given user and the REST api responds with a JWT token. For every subsequent request, the REST api expects token in the header and if its not there it returns Unautorized error.
现在,实现 logoff 功能的最佳方法是什么?有一点很清楚,我将从 UI cookie 中删除令牌.但我需要告诉服务器用户已注销.
Now, what is best way to implement logoff feature ? One thing is clear that i will be deleting the token from the UI cookie. But I need to tell server that the user has logged out.
我想维护一个内存数据库来跟踪谁登录并在用户注销后从内存中删除用户,但这会使应用程序处于某种状态(我猜).此外,扩展应用程序可能会变得复杂,因为我必须在所有节点上复制内存中的用户.
I was thinking to maintain an in-memory db to keep track who has logged in and remove the user from memory once he is logged out BUT it would make the app some sort of stateful (I guess). Also, it could become complicated to scale the app since i would have to replicate the in-memory users across all nodes.
对于每个 REST 调用,我都会从 MongoDB 获取用户详细信息.使用数据库存储登录状态是否有意义?我只是在大声思考.因为不知道往什么方向走.
For every REST call, I am fetching the user-details from MongoDB. Would it make sense to use the DB to store the logged in status ? I am just thinking out loud. Since i don't know what directions to head.
推荐答案
如果您使用 JWT 来维护客户端的会话,那么服务器应该没有登录和注销用户的概念.
If you are using JWT's to maintain sessions client-side, then the server should have no concept of logged in and logged out users.
这是您决定使用 JWT 所付出的代价(这当然可以,这取决于您对应用程序的风险偏好).
This is the price you pay for deciding to use JWT's (which may be fine of course, depending on your risk appetite for the application).
如果您希望在服务器端注销用户,那么您应该废弃 JWT 模型并在服务器端记录会话.这样您就可以删除服务器端记录以及注销时的 cookie.
If you wish to log users out server-side, then you should scrap the JWT model and record sessions server-side. That way you can delete the server-side record as well as the cookie on logout.
这篇关于注销无状态应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
