处理到期/“记住我"JWT 的功能 [英] Handling expiry/"remember me" functionality with JWT
问题描述
从概念上讲,我真的很喜欢 JWT,因为它符合 REST 等的无状态性(服务器端没有保存状态,所有相关数据都包含在令牌中).
Conceptually, I really like JWT as it is in line with the statelessness of REST etc (no state saved server-side, all relevant data is contained in the token).
我不确定的是:在未连接时您将如何处理令牌到期(即记住我"功能)?
What I am unsure about: how would you handle token expiry when not connected (ie, a "remember me" functionality)?
网络上出现了关于 JWT 的新报道,但我还没有找到任何人回答过期问题.
There's an emerging coverage of JWT on the web, but I couldn't find anyone that answered the expiry question yet.
澄清:我不是在问如何处理即将过期的令牌,而是在令牌已经过期时该怎么办(用户关闭网站/应用程序一段时间).我想到的最简单的解决方案是缓存用户的凭据,这是相当不安全的.
Clarification: I am not asking how to handle a token soon-to-expire, but what to do when a token has already expired (user closed website/app for a while). The simplest solution that comes to my mind is caching the user's credentials, which is rather insecure.
推荐答案
对于如何在理论上明智地实现记住我功能的给定问题,没有一个非黑即白的答案.关于为什么不应该做某事给出了许多理论论据,同时对于应该如何实际做的问题没有给出明确的答案.
There isn't a black and white answer to the given problem of how to implement the remember-me functionality theoretical wise. Lots of theoretical arguments are given on why something should not be done, while at the same time there is no clear answer given to the problem as for how it should practically be done.
Remember-me 隐含的问题是您需要更长的令牌过期时间窗口,没有办法解决这个问题.最安全的方法是让用户定期登录并给出短暂的过期时间;但实际上没有人喜欢这种做法,因此在权衡理论安全完美与实际措施之间进行了权衡.
Remember-me implicitly comes with the problem that you need a longer time window of token expiration, there is just no way around this. The most secure way is to have the user login regularly given brief expiry; nobody practically likes this though, so a tradeoff is made where theoretical secure perfection is weighed against practical measures.
这种权衡的工作方式是通过修补令牌长时间到期所带来的缺陷.但是请不要误会,您将需要一个长期过期的 jwt/cookie(无论您使用两个令牌,实现一些二次刷新机制还是其他什么,最后都会遇到同样的问题)!
根据我读过的关于其他人如何做的文章,这就是它的做法.
The way this tradeoff works is by patching the imperfections that come with having a long expiry for a token. But make no mistake about it, you will need a jwt / cookie with long expiry (whether you use two tokens, implement some secondary refreshing mechanism or whatever, at the end you run into the same problem)!
Based on articles I've read on how others did it, this is how it's done.
我将实现这一点的方式是,当用户检查 remember-me 时,为存储在 httpOnly/安全 cookie 中的 jwt 提供 3 个月的有效期.
注销时只需清除 cookie.
显然在上面使用 https/CSRF 措施进行保护.
The way I will implement this is by offering a 3-month expiry on a jwt stored in an httpOnly / secure cookie when the user checks remember-me.
On logout just clear the cookie.
Obviously protect using https / CSRF measures on top.
如果您不同意它,请停止大惊小怪并提供替代解决方案 - 我已经阅读了无数次讨论,这显然不是.
如果问题有一个直接的解决方案,可能一开始就不会有那么多讨论.
If you don't agree with it, stop fussing and offer an alternative solution - which there clearly isn't from the infinite number of discussions I've read on it.
If there were a straightforward solution to the problem, there probably wouldn't be so many discussions about it in the first place.
您可以使用刷新令牌机制,但它仅在您验证使用刷新令牌的时间间隔时才有效.例如,根据访问令牌的生命周期,您可以控制允许用户刷新令牌的频率.如果间隔显示可疑活动,您应该撤销所有客户端的两个令牌.
问题围绕着这样的想法,即理论上访问令牌或刷新令牌都会被盗.因此,仅仅拥有一个没有额外安全性的刷新机制本质上是没有用的.如果您可以窃取访问令牌,那么您也可以窃取刷新令牌.
You can use a refresh token mechanism, but it only works if you verify the time intervals when the refresh token gets used. For example, depending on the lifetime of the access token, you can govern how often you allow a user to refresh the token. If the intervals show suspicious activity, you should revoke both the tokens for all clients.
The problem revolves around the idea that either access token or refresh token would theoretically be stolen. So merely having a refreshing mechanism without additional security is essentially useless. If you can steal an access token, you can steal a refresh token too.
这篇关于处理到期/“记住我"JWT 的功能的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
