使客户端 JWT 会话无效 [英] Invalidating client side JWT session
问题描述
我已经阅读了很多关于 JWT 以及如何通过 JWT 创建无状态"会话的文章.我理解的要点是,由于签名 &过期,您基本上可以将整个会话发送给客户端保存,而服务器不必维护数据库来记住会话.
I've read a lot about JWT and how to create "stateless" sessions through JWT. The gist of what I understand is that because of the signature & expiration, you can essentially send the entire session to be saved by the client and the server does not have to maintain a db to remember the session.
我不明白的是,如果您的用户需要注销,或者您需要在到期前使会话无效,会发生什么?
从技术上讲,您可以指示浏览器从客户端删除它,但您不能确定这是否真的发生了.令牌本身在技术上仍然有效,如果不遵循您的删除说明,它仍然可以使用.
Technically, you could instruct the browser to delete it from the client side, but you can't be sure this actually occurred. The token itself is technically still valid and if your deletion instructions weren't followed, it could still be used.
这种理解正确吗?如果是这样,这不是客户端会话管理的一个巨大错误吗?除了让服务器存储会话或缩短过期时间之外,还有什么方法可以克服这个问题?
Is this understanding correct? If so, isn't this a huge fault with client-side session management? Are there any methods to overcoming this aside from having the server store the session or making the expiration time short?
推荐答案
JWT 令牌在到期时间之前失效有多种原因:帐户删除/阻止/暂停、密码更改、权限更改、用户被管理员注销.所以你的问题是关于主题的
There are several reason to invalidate a JWT token before its expiration time: account deleted/blocked/suspended, password changed, permissions changed, user logged out by admin. So your question is on topic
根据您的用例,可以应用或组合多种技术
There are several techniques to apply or combine depending on your use case
1) 从本地存储中删除客户端令牌
2) 令牌黑名单: 存储注销和退出之间的令牌.过期时间,标记过期并在每个请求中检查它.使用唯一标识符 jti 或包含上次登录日期并在 iat 发布以删除旧令牌
2) Token blacklist: Store tokens that were between logout & expiry time, mark expired and check it in every request. Use a unique identifier jti or include last login date and issued at iat to remove old tokens
需要服务器存储.如果您不希望撤销太多令牌,您也可以使用内存中的黑名单.您只需要在更新用户和 currentTime - maxExpiryTime <的关键数据后设置一个条目.lastLoginDate (iat) .当 currentTime - maxExpiryTime > 时可以丢弃该条目.lastModified(不再发送未过期的令牌).在这种情况下不需要存储整个令牌.只是 sub、iat 和 jti
It is needed server storage. If you do not expect too many tokens to revoke, you also could use an in-memory blacklist. You only need to set an entry after updating critical data on user and currentTime - maxExpiryTime < lastLoginDate (iat). The entry can be discarded when currentTime - maxExpiryTime > lastModified (no more non-expired tokens sent). In this case is not needed to store the entire token. Just sub, iat and maybe jti
3) 缩短到期时间并轮换它们.每隔几个请求发布一个新的访问令牌.使用 刷新令牌 允许您的应用程序获取新的访问令牌,而无需重新进行身份验证和结合 sliding-sessions
3) Expiry times short and rotate them. Issue a new access token every few request. Use refresh tokens to allow your application to obtain new access tokens without needing to re-authenticate and combine with sliding-sessions
滑动会话是在一段时间不活动后过期的会话.当用户执行操作时,会发出新的访问令牌.如果用户使用过期的访问令牌,会话将被视为非活动的,并且需要新的访问令牌.可以使用刷新令牌或需要凭据获取此新令牌
Sliding-sessions are sessions that expire after a period of inactivity. When a user performs an action, a new access token is issued. If the user uses an expired access token, the session is considered inactive and a new access token is required. This new token can be obtained with a refresh token or requiring credentials
如果帐户因新用户和密码登录而被盗用,则允许更改用户唯一 ID
Allow change user unique ID if account is compromised with a new user&password login
要在用户更改密码时使令牌无效,请使用其密码的哈希值对令牌进行签名.如果密码更改,任何以前的令牌都会自动无法验证.将此机制扩展到其他感兴趣的领域进行签名.缺点是需要访问数据库
To invalidate tokens when user changes their password, sign the token with a hash of their password. If the password changes, any previous tokens automatically fail to verify. Extend this mechanism with other field of interest to sign. The downside is that it requires access to the database
更改签名算法以在重大安全问题中撤销所有当前令牌
Change signature algorithm to revoke all current tokens in major security issues
这篇关于使客户端 JWT 会话无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
