ASP.Net Core 2.1 API JWT 无 cookie 会话? [英] ASP.Net Core 2.1 API JWT cookie-less sessions?

问题描述

有这种事吗?这可以做到吗?有基于 JWT 令牌而不是 cookie 的会话吗?Session.Ids 在每次请求时都会为我更改.有没有办法知道没有 cookie 的会话?

Is there such thing? Can this be done? Have sessions based on the JWT token and not on cookies? Session.Ids change for me on every request. Is there any way of knowing the session without cookies?

推荐答案

HTTP 是一种无状态协议.这意味着每个请求都被唯一地对待，就好像客户端以前从未发出过请求一样.会话是一种伪造状态的方式.它们的工作方式是当服务器需要维护状态时，它会创建一个会话并通过 cookie 将该会话的 id 发送给客户端.cookie 只是一个响应标头，它指示客户端应该保留某条数据，然后在每个后续请求中将其发送回服务器.然后，客户端(Web 浏览器)执行以下操作:保存 cookie 并将 cookie 与每个请求一起发回.服务器在请求标头中接收 cookie，使用它来查找会话并恢复"它，从而呈现状态.

HTTP is a stateless protocol. That means each request is treated uniquely as if the client had never made a request before. Sessions are a way of faking state. The way they work is when the server needs to maintain state, it creates a session and sends the id of that session to the client via a cookie. A cookie is just a response header that indicates that the client should persist a certain piece of data and then send it back to the server with each subsequent request. The client (web browser), then, does this: saves the cookie and sends the cookie back with each request. The server receives the cookie in the request headers, uses it to look up the session and "restores" it, giving the appearance of state.

重要的部分是数据，即会话 ID，不一定是cookie".从某种意义上说，这意味着您可以用其他机制替换 cookie，只要客户端和服务器仍然来回传递会话 ID，就可以了.但是，cookie 是用于网络浏览器的机制.每次用户导航到不同的页面(发送请求)时，Web 浏览器世界中没有其他东西会自动将数据发送回服务器.如果这是一个涉及通用客户端的 API，而另一端的程序员决定如何格式化每个请求，那么您可以随心所欲地处理它.事实上，API 通常不使用 cookie 正是出于这个原因 - 当您对请求具有完全 控制权时，通常有比来回传递 cookie 更好的方法来做事.这绝对不是网络浏览器的情况，因此传统网站需要 cookie 来维护状态.

The important part is the data, i.e. session id, not necessarily the "cookie". In a sense, that means you could potentially replace the cookie with some other mechanism, as long as the client and server still pass the session id back and forth, you're fine. However, cookies are that mechanism for web browsers. There is nothing else in the web browser world that will automatically send data back to the server each time a user navigates to a different page (sends a request). If this were an API with a generic client involved, and a programmer on the other end deciding how each request will be formatted, then you can handle it however you want. And indeed, APIs don't typically utilize cookies for this very reason - there's usually better ways to do things than passing cookies back and forth when you have full control over the request. That is definitely not the case with a web browser, so traditional websites need cookies to maintain state.

JWT 在这个讨论中实际上是无关紧要的.它只是一种格式化数据的方式.它不能替代 cookie.您的 cookie 可能是 JWT，在许多现代 Web 应用程序中它们实际上是，但服务器仍会发送 Set-Cookie 标头，客户端仍将其保存在本地并将其与 Cookie 标头一起发回.

JWT is actually irrelevant in this discussion. It's merely a way of formatting data. It is not a replacement for cookies. Your cookies could be JWTs, and in many modern web apps they actually are, but the server still sends a Set-Cookie header with that, and the client still saves it locally and sends it back with the Cookie header.

这篇关于ASP.Net Core 2.1 API JWT 无 cookie 会话?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！