JSON Web 令牌 (JWT) 优于数据库会话令牌 [英] JSON Web Token (JWT) benefits over a database session token
问题描述
使用数据库会话令牌系统,我可以让用户使用用户名/密码登录,服务器可以生成一个令牌(例如 uuid)并将其存储在数据库中并将该令牌返回给客户端.来自那里的每个请求都将包含令牌,服务器将查找令牌是否有效以及它属于哪个用户.
With a database session token system I could have a user login with a username/password, the server could generate a token (a uuid for example) and store it in the database and return that token to the client. Every request from thereon would include the token and the server would look up whether the token is valid and what user it belongs to.
使用 JWT,由于服务器上保存的密钥和客户端保存并随每个请求发送的签名令牌的组合,因此无需将任何关于会话/令牌的内容保存到数据库中.
Using JWT there would be no need to save anything to the database with respect to session/tokens thanks to the combination of the secret key kept on the server and the signed token the client keeps and sends with every request.
这很好,但是除了保存一个数据库检查每个请求(无论如何这会很快,因为它只是检查一个哈希表),我不清楚使用 JWT 有什么好处.有熟悉这个的能解释一下吗?让我们忽略 cookie,它特别是如上所述的数据库自定义令牌和我试图比较和了解其好处的 JWT.
This is good but besides saving a database check each request (which would be fast anyway since it's just checking a hash table) it's not clear to me what the advantages are of using JWT. Can you anyone familiar with this explain? Let's ignore cookies, it's specifically a database custom token as described above and JWT that I am trying to compare and understand the benefits.
推荐答案
主要区别在于会话存储大小和服务器所需的查找工作:
The main difference is the session storage size and lookup work required from the server:
在服务器端,JWT 在内存(或配置文件)中存储一个单个密钥 - 称为密钥.该密钥有两个用途,它可以创建新的加密令牌,并且它还可以像打开所有锁"的万能钥匙一样发挥作用,实际上它会验证所有令牌.因此,服务器对身份验证请求的响应速度要快得多,因为您是否有两两百万用户登录并不重要 - 相同数量的记录(一个,该服务器密钥)将用于验证所有客户端请求.
On the server side, JWT stores a single key in memory (or in config file) - called secret key. That key has two purposes, it enables creating new encrypted tokens and it also functions like a master key that "opens all locks", in practice it verifies all tokens. As a result the server responds much faster to auth requests, because it doesn't matter if you have two or two million users logged in - the same number of records (one, that server key) will be used to authenticate all client requests.
传统的身份验证将用户会话存储在数据库中,在数据库中为每个用户创建一条记录,从而产生多个密钥.因此,如果您有 200 万用户登录,服务器将创建 200 万条记录,并且对于每个客户端请求,服务器需要在数据库中找到相关的会话记录*.
Traditional authentication that stores user sessions in a database, creates a record in the db for every single user, which results in multiple keys. So if you have two million users logged in, the server will create two million records and with each client request the server needs to locate the relevant session record in the database*.
JWT 将其留给客户端来存储和处理整个会话/用户对象.这实际上更有意义,因为每个客户端只处理自己的数据,因此也不会给客户端带来繁重的工作.
JWT leaves it up to the client side to store and handle the entire session/user object. It actually makes much more sense because every client handles their own data only, so it doesn't cause heavy lifting for the client side either.
至于您在上一段中写的内容,我们在这里保存的不仅仅是 db 调用.JWT 实际上具有更多的可扩展性,因为它具有独立和轻量级的特性,它不会随着身份验证请求的堆积而失败,并且它允许服务器处理跨设备和服务的身份验证,而无需在服务器端管理会话.
As for what you wrote in your last paragraph, it's not just db calls that we save here. JWT is actually much more scalable because of its independent and lightweight nature, it doesn't fail as auth requests pile up and it allows the server to handle auth accross devices and services without managing sessions on the server side.
尽管在安全方面,数据库会话可以说占了上风:它们可以更安全因为延迟,并且在用户注销后也不太容易受到会话劫持.
Security wise though, db sessions arguably have the upper hand: they can be more secure because of that latency, and are also less vulnerable to session hijacking after user logout.
*数据库存储会话方法可以通过有效的缓存和仅将会话 ID(而不是整个用户对象)存储在快速键/值服务器(如 Redis)中进行优化.也就是说,在大多数情况下,我仍然会选择 JWT 方法而不是 db.
*The db stored sessions method can be optimized with effective caching and by storing only the session id (as opposed to the entire user object) in a fast key/value server such as Redis. That said, I would still choose JWT method over db for most cases.
这篇关于JSON Web 令牌 (JWT) 优于数据库会话令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
