JWT和签名Cookie有什么区别? [英] What is the difference between JWT and signed cookies?
问题描述
我正在研究 JWT 作为使用cookie的传统会话的替代方法,但是我看不到它们与cookie的根本区别签名的Cookie,例如Express通过中间件(如 cookie解析器)提供的.
I'm looking into JWT as an alternative to traditional sessions with cookies but I fail to see how they differ fundamentally from signed cookies that for example Express is offering through middleware like cookie-parser.
在两者中,最后一部分是有效载荷的签名,以确保有效载荷未被篡改.
In both of them, the last part is the signature of the payload which guarantees the payload hasn't been tampered with.
签名的cookie:
user=tobi.CP7AWaXDfAKIRfH49dQzKJx7sKzzSoPq7/AcBBRVwlI3
等效的JWT:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiVG9iaSJ9.kCTlR_Igb4H5cqBEDedShM2ivSQijPQkWqN4pZAXb2g
除了以下事实:
(1)JWT没有原产地限制,并且
(1) JWT doesn't come with origin restrictions and that
(2)Cookie的内容是人类可读的,而JWT内容(标头+有效负载)是base64编码的
(2) the cookie content is immediately human-readable, whereas the JWT content (header + payload) are base64 encoded
有什么可以使JWT明显胜过已签名的Cookie吗?
is there anything that gives JWT a clear advantage over signed cookies?
推荐答案
提防混合考虑:cookie主要是一种用于在客户端上存储数据的机制,它们本身并不是一种身份验证机制-但是我们以这种方式使用它们:)
Beware of mixing the concerns: cookies are primarily a mechanism for storing data on the client, they aren't inherently an authentication mechanism - but we use them that way :)
JWT的主要好处是声明的结构(带有公共字段的JSON)和对它们进行签名的声明机制.这仅仅是规范,没有什么特别的.但是,有一种通用的方法可以持久保存身份声明.
The primary benefit of JWTs are the declared structure (JSON, with common fields) and the declared mechanism for signing them. This is all just specification, there is nothing special about it. But it is nice to have a common way of persisting identity assertions.
您仍然需要以安全的方式存储JWT,带有HttpOnly; Secure的cookie是最佳选择.这样可以防止Cookie被JavaScript环境读取,从而防止XSS攻击.
You still need to store your JWT in a secure fashion, and cookies with HttpOnly; Secure are the best option. This prevents the cookie from being read by the JavaScript environment, which prevents XSS attacks.
我写了一些有关JWT的博客文章,它们包含更多信息,可帮助回答您的问题:
I've written some blog posts about JWTs, they contain more information that will help to answer your question:
免责声明:我确实在 Stormpath 工作.我们赞助用于Node.js和Java的开源JWT库,可以在这里找到:
Disclaimer: I do work at Stormpath. We sponsor open-source JWT libraries for Node.js and Java, which can be found here:
如果您使用的是AngularJS,我们还将通过 Stormpath Angular开箱即用地实现JWT最佳实践SDK
If you are using AngularJS, we also implement JWT best practices out of the box with our Stormpath Angular SDK
这篇关于JWT和签名Cookie有什么区别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
