Spring身份验证，它是否使用加密的cookie？ [英] Spring authentication, does it use encrypted cookies?

问题描述

Spring Framework 是否使用（或在其支持的某个选项中）加密将登录用户userId存储在cookie中的cookie？

Does the Spring Framework use (or in one of the options that it supports) encrypted cookies that store the logged in users userId in a cookie?

这是ASP.NET身份验证的工作方式，它加密cookie中的值，通常是userId或用户名。

This is how ASP.NET authentication works, where it encrypts a value in a cookie, which is normally the userId or username.

那是Spring的作用吗？ （我意识到Spring让你选择，但这一般是最常用的方法吗？）

Is that what Spring does? (I realize Spring let you choose, but is this the most common approach generally?)

推荐答案

我没有源码方便证明这一点，但问题的答案是否定的。

I don't have the source handy to prove this, but the answer to the question is no.

Spring Security处理服务器端的所有内容。客户端上唯一的cookie是JSESSIONID，并且安全框架只检查请求会话中的身份验证/主体对象（至少在默认设置下）。

Spring Security handles everything on the server side. The only cookie on the client is the one for JSESSIONID, and the security framework merely checks for the authentication/principal object in the request's session (at least under the default setup).

如果你只是存储一个sessionID并跟踪服务器端的身份验证细节和状态，我不明白你为什么要在客户端的cookie中存储任何类型的身份验证信息。

I don't understand why you would store any sort of authentication information in the client's cookie if you could simply store a sessionID and track authentication details and state on the server side.

这篇关于Spring身份验证，它是否使用加密的cookie？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！