令牌认证与 Cookies [英] Token Authentication vs. Cookies
问题描述
令牌认证和使用 cookie 的认证有什么区别?
What is the difference between token authentication and authentication using cookies?
我正在尝试实施 Ember Auth Rails 演示,但我不明白原因在使用令牌身份验证的背后,如 Ember 身份验证常见问题解答中关于为什么要进行令牌身份验证?"的问题所述>
I am trying to implement the Ember Auth Rails Demo but I do not understand the reasons behind using token authentication as described in the Ember Auth FAQ on the question "Why token authentication?"
推荐答案
典型的 Web 应用程序大多是无状态的,因为它具有请求/响应性质.HTTP 协议是无状态协议的最佳示例.但是由于大多数网络应用程序需要状态,为了在服务器和客户端之间保持状态,使用 cookie 以便服务器可以在每个响应中将 cookie 发送回客户.这意味着客户端发出的下一个请求将包含此 cookie,因此将被服务器识别.这样,服务器可以与无状态客户端保持会话,了解有关应用状态的大部分信息,但存储在服务器中.在这种情况下,客户端不会保持 state,这不是 Ember.js 的工作方式.
A typical web app is mostly stateless, because of its request/response nature. The HTTP protocol is the best example of a stateless protocol. But since most web apps need state, in order to hold the state between server and client, cookies are used such that the server can send a cookie in every response back to the client. This means the next request made from the client will include this cookie and will thus be recognized by the server. This way the server can maintain a session with the stateless client, knowing mostly everything about the app's state, but stored in the server. In this scenario at no moment does the client hold state, which is not how Ember.js works.
在 Ember.js 中,情况有所不同.Ember.js 使程序员的工作更轻松,因为它确实为您保存了状态,在客户端,随时了解其状态,而无需向客户端发出请求服务器请求状态数据.
In Ember.js things are different. Ember.js makes the programmer's job easier because it holds indeed the state for you, in the client, knowing at every moment about its state without having to make a request to the server asking for state data.
但是,在客户端中保持状态有时也会引入并发问题,而这些问题在无状态情况下根本不存在.然而,Ember.js 也为您处理了这些问题;特别是 ember-data 就是考虑到这一点而构建的.总之,Ember.js 是一个为有状态客户端设计的框架.
However, holding state in the client can also sometimes introduce concurrency issues that are simply not present in stateless situations. Ember.js, however, deals also with these issues for you; specifically ember-data is built with this in mind. In conclusion, Ember.js is a framework designed for stateful clients.
Ember.js 不像典型的无状态网络应用那样工作,其中会话、状态和相应的 cookie 几乎完全被处理由服务器.Ember.js 将其状态完全保存在 Javascript 中(在客户端的内存中,而不是像其他一些框架那样在 DOM 中)并且不需要服务器来管理会话.这导致 Ember.js 在许多情况下更加通用,例如当您的应用处于离线模式时.
Ember.js does not work like a typical stateless web app where the session, the state and the corresponding cookies are handled almost completely by the server. Ember.js holds its state completely in Javascript (in the client's memory, and not in the DOM like some other frameworks) and does not need the server to manage the session. This results in Ember.js being more versatile in many situations, e.g. when your app is in offline mode.
显然,出于安全原因,每次发出请求时,它确实需要某种令牌或唯一密钥发送到服务器,以便>经过身份验证.通过这种方式,服务器可以查找发送令牌(最初由服务器发出)并在将响应发送回客户端之前验证它是否有效.
Obviously, for security reasons, it does need some kind of token or unique key to be sent to the server everytime a request is made in order to be authenticated. This way the server can look up the send token (which was initially issued by the server) and verify if it's valid before sending a response back to the client.
在我看来,使用身份验证令牌而不是 cookie 的主要原因是 Ember Auth FAQ 主要是因为 Ember.js 框架的性质,还因为它更适合有状态网络应用范例.因此,cookie 机制不是构建 Ember.js 应用程序的最佳方法.
In my opinion, the main reason why to use an authentication token instead of cookies as stated in Ember Auth FAQ is primarily because of the nature of the Ember.js framework and also because it fits more with the stateful web app paradigm. Therefore the cookie mechanism is not the best approach when building an Ember.js app.
希望我的回答能让你的问题更有意义.
I hope my answer will give more meaning to your question.
这篇关于令牌认证与 Cookies的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
