Article From:https://segmentfault.com/q/1010000015132301
Question:

Server-side generationToken Why do you want to store it later?

From the official documents of JWT, we know that JSON WEB TOKEN consists of three parts:

  • Header
  • Payload
  • Signature

Here we just say Payload The contents of the preservation are introduced from JWT official:

The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional metadata. There are three types of claims: registered, public, and private claims.

From here we can see thattoken APayload In part, it has the ability to store user ID and roles. That is fully embodied.TOKEN The characteristics of self interpretation.

In this case, why do we have to be in a similar wayRedis This caching database isToken For persistence? It can be entirely client – to – sideToken Protracted?

I have consulted friends, and most of the answers to me are,Fast access, easy to expire

Then we assume that if it is not stored on the back endTokenPayload The information in the case is:

{
  "id": "1234567890",
  "name": "John Doe",
  "admin": true
  "expire": 1527833009000
}

Then when the client carries thistoken When accessing the server, the server performs two steps:

  1. YesSignature Part of the decryption verification, guaranteetoken It has not been tampered with.
  2. analysisPayload Data, based on attributesexpire To judge whether or not to expire

So can we avoid going to the client every time we visit?redis Retrieval in the middletoken And what?

Now everyone is carrying it on the client sidetoken Do you need to go to the server every time?redis What’s in the test?

Also in the architecture design of micro-services, it may be an API gateway or multiple API gateways that provide services to the outside world, so ourRedis It must be installed on a separate physical machine or VM, so every time we do it.token Do you want to connect to remote when checking for validity?Redis The server retrieves the data and then validates it?

Thank you all!

Answer 0:

JWT There is no need to store the server side. I also wonder why anyone will save the token server. Moreover, even if the server is stored, it should be encrypted like a password. Otherwise, the database is captured in hack, and token can be impersoned as a user without a password.

Answer 1:

JWTOne big advantage is that no server side storage is needed, token is stored directly on the client side, each request is brought with token, and the last section of the three section is used to check whether there is a change in token to prevent the client from maliciously tampering.

The biggest drawback, of course, is that the token size is proportional to the amount of data carried, so it’s recommended to save only the user’s unique tag in it, and check the rest now.

What’s more, the security issues upstairs, the man-in-the-middle attack or the client being attacked, no matter which authentication method is soft.

Leave a Reply

Your email address will not be published. Required fields are marked *