实施JWT的最佳方法? [英] Best way to implement JWT?

问题描述

我正在创建JWT身份验证，但我有一些疑问:

I'm creating JWT authentication and I have some doubts:

1. 以提高安全性，保存在数据库中可能是一个好主意 用户的令牌，并每次检查API是否发送了令牌 与保存到数据库中的一个匹配?真的有用吗?

1. to increase the security, could be a good idea save in database the user's token and check, everytime, if the token sent by API matches with the one saved into database? Is it really useful?

为避免在会话中保存用户信息，将电子邮件放在一个好主意中， 如果他是JWT的有效载荷中的管理员等?

to avoid saving user info in session, is it a good idea puts email, if he is admin, etc in JWT's payload?

如果我将用户信息保存在JWT的有效负载中，并且用户更改了他的 电子邮件或其他信息，我该如何自动更新用户的 令牌保存在他的浏览器中?

if I save the user info in JWT's payload, and the user change his email or other info, how could I update automatically the user's token saved in his browser?

最好将令牌另存为cookie或网络存储吗?

it's better save the token as cookie or web storage?

推荐答案

增加安全性，将其保存在数据库中可能是一个好主意 用户的令牌，并每次检查API发送的令牌是否匹配 与一个保存到数据库?真的有用吗?

to increase the security, could be a good idea save in database the user's token and check, everytime, if the token sent by API matches with the one saved into database? Is it really useful?

这完全没有使用JWT的目的. JWT的优点是您不必跟踪服务器端的会话-它们纯粹是客户端的. JWT的缺点是您不能因此而撤销令牌(您要支付的价格).如果您需要额外的安全性，请不要使用JWT，也不要使用随机令牌(CSPRNG，128位)在服务器端跟踪会话.

This defeats the object of using JWTs at all. JWTs have the advantage that you don't have to track sessions server-side - they are purely client-side. JWTs have the disadvantage that you can't revoke tokens because of this (the price you pay). If you want the extra security, don't use JWTs and track sessions server-side using a random token (CSPRNG, 128bit).

为避免将用户信息保存在会话中，如果 他是JWT的有效负载中的管理员等吗? 如果我将用户信息保存在JWT的有效负载中，并且用户更改了他的 电子邮件或其他信息，我如何自动更新用户的令牌 保存在他的浏览器中?

to avoid saving user info in session, is it a good idea puts email, if he is admin, etc in JWT's payload? if I save the user info in JWT's payload, and the user change his email or other info, how could I update automatically the user's token saved in his browser?

那么您可以使用用户标识符代替电子邮件.例如，用户表的主键.然后，如果他们更新其信息，则令牌仍然有效.您应该设置较短的有效期，因此，如果用户不再是管理员，则他们将不得不请求新令牌(通常称为刷新令牌)，并且新令牌将没有管理员声明.

Well you could use a user identifier instead of email. For example, the primary key of your user table. Then if they update their information the token is still valid. You should set short expiry dates, so if the user is no longer an admin they will have to request a new token (often called a refresh token) and the new token will not have the admin claim.

最好将令牌另存为cookie或网络存储空间?

it's better save the token as cookie or web storage?

由您决定.如果存储在cookie中，它将随每个请求一起发送.如果您希望使用JavaScript检索值，请使用网络存储.如果使用cookie，请设置Secure标志以防止其通过纯HTTP泄漏，并设置HttpOnly标志以保护其免受域中任何XSS漏洞的影响.不能以相同的方式针对XSS保护Web存储(您需要确保整个域都受到保护)，但是通过纯HTTP泄漏的可能性较小.

Up to you. If stored in a cookie it is sent with every request. If you'd prefer to retrieve the value with JavaScript, then use web storage. If using a cookie, set the Secure flag to prevent it leaking over plain HTTP, and the HttpOnly flag to secure it from any XSS vulnerabilities on your domain. Web storage cannot be secured against XSS in the same way (you need to make damn sure the whole of your domain is protected), however it is less likely to be leaked over plain HTTP.

这篇关于实施JWT的最佳方法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！