ASP.Net Core 2.1 API JWT无cookie会话? [英] ASP.Net Core 2.1 API JWT cookie-less sessions?

问题描述

有这样的东西吗?能做到吗? 会话是否基于JWT令牌而不是基于Cookie? Session.Ids在每次请求时都会更改. 没有cookie，有什么办法知道会话?

解决方案

HTTP是无状态协议.这意味着每个请求都被视为唯一，就像客户端以前从未提出过请求一样.会话是伪造状态的一种方式.它们的工作方式是服务器需要维护状态时，它会创建一个会话，并通过cookie将该会话的ID发送给客户端. Cookie只是一个响应标头，它指示客户端应保留某些数据，然后将其与每个后续请求一起发送回服务器.然后，客户端(Web浏览器)执行此操作:保存cookie，并在每次请求时将cookie发送回去.服务器在请求标头中接收cookie，使用它查找会话并还原"它，从而显示状态.

重要的是数据，即会话ID，不一定是"cookie".从某种意义上讲，这意味着您可以用其他某种机制替换cookie，只要客户端和服务器仍然来回传递会话ID，就可以了.但是，cookies 是用于网络浏览器的机制.每次用户导航到其他页面(发送请求)时，Web浏览器世界中都没有其他东西会自动将数据发送回服务器.如果这是一个涉及通用客户端的API，而另一端是程序员来决定如何格式化每个请求，那么您可以根据需要进行处理.实际上，由于这个原因，API通常不使用cookie-通常，有更好的方法来做事，而当您对请求具有完全控制权时，来回传递cookie. Web浏览器绝对不是这种情况，因此传统网站需要Cookie来保持状态.

在讨论中，JWT实际上是无关紧要的.这只是格式化数据的一种方式.它不能替代cookie.您的cookie可能是 JWT，实际上在许多现代的Web应用中，它们都是JWT，但是服务器仍会发送一个Set-Cookie标头，并且客户端仍将其保存在本地，并使用Cookie标头.

Is there such thing? Can this be done? Have sessions based on the JWT token and not on cookies? Session.Ids change for me on every request. Is there any way of knowing the session without cookies?

解决方案

HTTP is a stateless protocol. That means each request is treated uniquely as if the client had never made a request before. Sessions are a way of faking state. The way they work is when the server needs to maintain state, it creates a session and sends the id of that session to the client via a cookie. A cookie is just a response header that indicates that the client should persist a certain piece of data and then send it back to the server with each subsequent request. The client (web browser), then, does this: saves the cookie and sends the cookie back with each request. The server receives the cookie in the request headers, uses it to look up the session and "restores" it, giving the appearance of state.

The important part is the data, i.e. session id, not necessarily the "cookie". In a sense, that means you could potentially replace the cookie with some other mechanism, as long as the client and server still pass the session id back and forth, you're fine. However, cookies are that mechanism for web browsers. There is nothing else in the web browser world that will automatically send data back to the server each time a user navigates to a different page (sends a request). If this were an API with a generic client involved, and a programmer on the other end deciding how each request will be formatted, then you can handle it however you want. And indeed, APIs don't typically utilize cookies for this very reason - there's usually better ways to do things than passing cookies back and forth when you have full control over the request. That is definitely not the case with a web browser, so traditional websites need cookies to maintain state.

JWT is actually irrelevant in this discussion. It's merely a way of formatting data. It is not a replacement for cookies. Your cookies could be JWTs, and in many modern web apps they actually are, but the server still sends a Set-Cookie header with that, and the client still saves it locally and sends it back with the Cookie header.

这篇关于ASP.Net Core 2.1 API JWT无cookie会话?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！