用于基于令牌的身份验证的 JWT 与 cookie [英] JWT vs cookies for token-based authentication
问题描述
我阅读了一些关于JWT vs Cookie"的帖子,但它们只会让我更加困惑......
I read some posts about "JWT vs Cookie" but they only made me more confused...
我想要一些澄清,当人们谈论基于令牌的身份验证与 cookie"时,cookie 在这里仅指会话饼干?我的理解是cookie就像一个媒介,它可以用来实现基于令牌的身份验证(在客户端存储可以识别登录用户的东西)或基于会话的身份验证(在客户端存储一个与服务器端的会话信息相匹配的常量)
I want some clarification, when people talking about "token-based authentication vs cookies", cookies here merely refer to session cookies? My understanding is that cookie is like a medium, it can be used to implement a token-based authentication(store something that can identify logged-in user on the client side) or a session-based authentication(store a constant on the client side that matches session information on the server side)
为什么我们需要 JSON 网络令牌?我使用标准 cookie 来实现基于令牌的身份验证(不使用会话 ID,不使用服务器内存或文件存储):Set-Cookie: user=innocent;优选颜色=天蓝色,我观察到的唯一区别是 JWT 包含有效负载和签名...而您可以在签名或纯文本之间进行选择http 标头的 cookie.我认为签名 cookie (cookie:'time=s%3A1464743488946.WvSJxbCspOG3aiGi4zCMMR9yBdvS%2B6Ob2f3OG6%2FYCJM') 更节省空间,唯一的缺点是客户端无法读取令牌,只有服务器才能读取...但我认为这很好,因为就像 JWT 中的 claim 是可选的一样,令牌没有必要有意义
Why do we need JSON web token? I was using the standard cookie to implement token-based authentication(not using session id, not use server memory or file storage): Set-Cookie: user=innocent; preferred-color=azure, and the only difference that I observed is that JWT contains both payload and signature...whereas you can choose between signed or plaintext cookie for http header. In my opinion signed cookie (cookie:'time=s%3A1464743488946.WvSJxbCspOG3aiGi4zCMMR9yBdvS%2B6Ob2f3OG6%2FYCJM') is more space efficient, the only drawback is that client cannot read the token, only the server can...but I think it's fine because just like claim in JWT is optional, it's not necessary for token to be meaningful
推荐答案
bearer token 和 cookies 最大的区别在于浏览器会自动发送 cookies,其中bearer需要将令牌显式添加到 HTTP 请求中.
The biggest difference between bearer tokens and cookies is that the browser will automatically send cookies, where bearer tokens need to be added explicitly to the HTTP request.
此功能使 cookie 成为保护网站安全的好方法,用户可以在该网站上使用链接登录并在页面之间导航.
This feature makes cookies a good way to secure websites, where a user logs in and navigates between pages using links.
浏览器自动发送cookies还有一个很大的缺点,就是CSRF攻击.在 CSRF 攻击中,恶意网站会利用以下事实:您的浏览器会自动将身份验证 cookie 附加到对该域的请求中,并诱使您的浏览器执行请求.
The browser automatically sending cookies also has a big downside, which is CSRF attacks. In a CSRF attack, a malicious website takes advantage of the fact that your browser will automatically attach authentication cookies to requests to that domain and tricks your browser into executing a request.
假设位于 https://www.example.com 的网站允许经过身份验证的用户通过 POST - 将新密码输入到 https://www.example.com/changepassword 而无需用户名或旧密码即可发布.
Suppose the web site at https://www.example.com allows authenticated users to change their passwords by POST-ing the new password to https://www.example.com/changepassword without requiring the username or old password to be posted.
如果您在访问恶意网站时仍登录到该网站,该网站会在您的浏览器中加载一个页面,触发对该地址的 POST,您的浏览器将忠实地附加身份验证 cookie,从而允许攻击者更改您的密码.
If you are still logged in to that website when you visit a malicious website which loads a page in your browser that triggers a POST to that address, your browser will faithfully attach the authentication cookies, allowing the attacker to change your password.
Cookie 也可用于保护网络服务,但现在最常使用不记名令牌.如果您使用 cookie 来保护您的 Web 服务,则该服务需要位于为其设置了身份验证 cookie 的域中,如 同源策略不会将 cookie 发送到另一个域.
Cookies can also be used to protect web services, but nowadays bearer tokens are used most often. If you use cookies to protect your web service, that service needs to live on the domain for which the authentication cookies are set, as the same-origin policy won't send cookies to another domain.
此外,cookie 使非基于浏览器的应用程序(例如移动到平板电脑应用程序)使用您的 API 变得更加困难.
Also, cookies make it more difficult for non-browser based applications (like mobile to tablet apps) to consume your API.
这篇关于用于基于令牌的身份验证的 JWT 与 cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
