为什么我们需要JWT当我们有客户端会话? [英] Why do we need JWT when we have client sessions?
问题描述
我理解JWT是无状态令牌,存储有关客户端声明的签名信息,并通过授权HTTP头传递到服务器。
I understand that JWT are stateless tokens that store signed information about the client's claim and are passed to a server via the Authorization HTTP header.
我的问题是,为什么我们需要JWT当我们已经有客户端会话( https://github.com/mozilla/node-client-sessions )?客户端会话在概念上是相同的。它们是包含已签名信息的Cookie,在验证时表示Cookie未被缓和。此外,客户端会话存储在Cookie中,并通过Cookie HTTP标头传递。它是同样的事情,只使用不同的单词。我错了吗?
My question is, why do we need JWT when we already have client sessions (https://github.com/mozilla/node-client-sessions)? Client sessions are conceptually the same. They're cookies that contained signed information which when verified means the cookie hasn't been tempered with. Also, client sessions are stored in a cookie and passed via the Cookie HTTP header. It's the same thing only using different words. Am I wrong?
那么,为什么JWT呢?我可以理解,也许要点是标准化认证令牌的工作方式,但我们没有基于会话ID的标准(每个实现做事情自己的方式)。此外,为什么JWT不使用Cookie作为转移手段。使用Cookie,您不需要为每个请求显式发送正确的标头(简化Ajax请求)。
So, why is JWT even around? I could understand that maybe the point is to standardize the way authentication tokens work, but we got along fine without a session ID based standard (each implementation did things their own way). Also, why would the JWT not use cookies as a means of transfer. With cookies, you wouldn't need explicitly send the correct header for every request (simplifying Ajax requests).
我错过了什么?
推荐答案
JWT令牌是签名的JSON格式的文档,声明用户(或任何主体)。如果您信任令牌的颁发者,您可以信任令牌中的声明,并可以根据此做出授权决定。
JWT tokens are signed JSON formatted documents that assert claims about a user (or any principal). If you trust the issuer of the token, you trust the claims in the token and can make authorization decisions based on this.
JWT令牌通常用于调用外部Web API 。这些API不一定与您的网站位于同一网域,因此无法使用与您的网站相同的Cookie。 JWT令牌用于REST服务,因为它们不需要存储在服务器上的任何会话信息。使用JWT令牌也不会妨碍 CSRF 攻击。
JWT tokens are often used for calling external Web APIs. These APIs do not necessarily live on the same domain as your website and therefore cannot use the same cookies as your site. JWT tokens are used in REST services as they do not need any session info stored on the server. Using JWT tokens is also not vulnarable to CSRF attacks.
这篇关于为什么我们需要JWT当我们有客户端会话?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
