使客户端JWT会话无效 [英] Invalidating client side JWT session
问题描述
我已经阅读了很多有关JWT的知识,以及如何通过JWT创建无状态"会话.我了解的要点是因为签名和签名.到期后,您基本上可以发送整个会话以供客户端保存,而服务器不必维护数据库即可记住该会话.
I've read a lot about JWT and how to create "stateless" sessions through JWT. The gist of what I understand is that because of the signature & expiration, you can essentially send the entire session to be saved by the client and the server does not have to maintain a db to remember the session.
我不明白的是,如果您的用户需要注销,或者您需要在会话到期之前使会话无效?
从技术上讲,您可以指示浏览器从客户端将其删除,但是不能确定是否确实发生了这种情况.令牌本身在技术上仍然有效,如果不遵循您的删除说明,仍可以使用.
Technically, you could instruct the browser to delete it from the client side, but you can't be sure this actually occurred. The token itself is technically still valid and if your deletion instructions weren't followed, it could still be used.
这种理解正确吗?如果是这样,这不是客户端会话管理的重大错误吗?除了让服务器存储会话或缩短到期时间之外,是否还有其他方法可以解决此问题?
Is this understanding correct? If so, isn't this a huge fault with client-side session management? Are there any methods to overcoming this aside from having the server store the session or making the expiration time short?
推荐答案
有几种原因使JWT令牌在其到期之前失效:帐户已删除/阻止/暂停,密码已更改,权限已更改,用户已由admin注销.所以你的问题是关于主题的
There are several reason to invalidate a JWT token before its expiration time: account deleted/blocked/suspended, password changed, permissions changed, user logged out by admin. So your question is on topic
根据您的用例,有几种技术可以应用或组合
There are several techniques to apply or combine depending on your use case
1)从本地存储中删除客户端令牌
2)令牌黑名单::存储注销与登录之间的令牌到期时间,标记为过期并在每个请求中进行检查.使用唯一标识符jti或包括上次登录日期并在iat处发布以删除旧令牌
2) Token blacklist: Store tokens that were between logout & expiry time, mark expired and check it in every request. Use a unique identifier jti or include last login date and issued at iat to remove old tokens
这是服务器存储所必需的.如果您不希望撤销太多的令牌,则还可以使用内存中的黑名单.您只需要在更新用户和currentTime - maxExpiryTime < lastLoginDate (iat)上的关键数据后设置一个条目即可.当currentTime - maxExpiryTime > lastModified时,该条目可以被丢弃(不再发送未过期的令牌).在这种情况下,不需要存储整个令牌.只是sub,iat,也许是jti
It is needed server storage. If you do not expect too many tokens to revoke, you also could use an in-memory blacklist. You only need to set an entry after updating critical data on user and currentTime - maxExpiryTime < lastLoginDate (iat). The entry can be discarded when currentTime - maxExpiryTime > lastModified (no more non-expired tokens sent). In this case is not needed to store the entire token. Just sub, iat and maybe jti
3)缩短到期时间并将其轮换.每隔几个请求发出一个新的访问令牌.使用 刷新令牌 ,以使您的应用程序无需重新进行身份验证和获取新的访问令牌.与sliding-sessions
3) Expiry times short and rotate them. Issue a new access token every few request. Use refresh tokens to allow your application to obtain new access tokens without needing to re-authenticate and combine with sliding-sessions
滑动会话是闲置一段时间后过期的会话.用户执行操作时,将发出新的访问令牌.如果用户使用过期的访问令牌,则该会话被认为是不活动的,并且需要新的访问令牌.可以使用刷新令牌或需要凭证来获取此新令牌
Sliding-sessions are sessions that expire after a period of inactivity. When a user performs an action, a new access token is issued. If the user uses an expired access token, the session is considered inactive and a new access token is required. This new token can be obtained with a refresh token or requiring credentials
-
如果帐户被新的用户和密码登录所破坏,则允许更改用户的唯一ID
Allow change user unique ID if account is compromised with a new user&password login
要在用户更改密码时使令牌失效,请使用其密码的哈希值对令牌进行签名.如果密码更改,则以前的所有令牌都将自动无法验证.将此机制与其他感兴趣的领域进行扩展.缺点是它需要访问数据库
To invalidate tokens when user changes their password, sign the token with a hash of their password. If the password changes, any previous tokens automatically fail to verify. Extend this mechanism with other field of interest to sign. The downside is that it requires access to the database
更改签名算法以撤销主要安全问题中的所有当前令牌
Change signature algorithm to revoke all current tokens in major security issues
看看 Invalidating JSON Web Tokens
这篇关于使客户端JWT会话无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
