无效的JSON Web令牌
本文翻译自:Invalidating JSON Web Tokens
For a new node.js project I'm working on, I'm thinking about switching over from a cookie based session approach (by this, I mean, storing an id to a key-value store containing user sessions in a user's browser) to a token-based session approach (no key-value store) using JSON Web Tokens (jwt). 对于我正在研究的一个新的node.js项目,我正在考虑从基于cookie的会话方法切换(这意味着,将ID存储到用户浏览器中包含用户会话的键值存储中)到使用JSON Web令牌(jwt)的基于令牌的会话方法(无键值存储)。
The project is a game that utilizes socket.io - having a token-based session would be useful in such a scenario where there will be multiple communication channels in a single session (web and socket.io) 该项目是一个利用socket.io的游戏-在单个会话(web和socket.io)中会有多个通信渠道的情况下,基于令牌的会话将非常有用。
How would one provide token/session invalidation from the server using the jwt Approach? 如何使用jwt方法从服务器提供令牌/会话无效?
I also wanted to understand what common (or uncommon) pitfalls/attacks I should look out for with this sort of paradigm. 我还想了解我应该用这种范例寻找哪些常见(或不常见)的陷阱/攻击。 For example, if this paradigm is vulnerable to the same/different kinds of attacks as the session store/cookie-based approach. 例如,如果此范例易受与基于会话存储/ Cookie的方法相同/不同类型的攻击的攻击。
So, say I have the following (adapted from this and this ): 因此,说我有以下内容(适应了this和this ):
Session Store Login: 会话商店登录:
app.get('/login', function(request, response) {var user = {username: request.body.username, password: request.body.password };// Validate somehowvalidate(user, function(isValid, profile) {// Create session tokenvar token= createSessionToken();// Add to a key-value databaseKeyValueStore.add({token: {userid: profile.id, expiresInMinutes: 60}});// The client should save this session token in a cookieresponse.json({sessionToken: token});});
}
Token-Based Login: 基于令牌的登录:
var jwt = require('jsonwebtoken');
app.get('/login', function(request, response) {var user = {username: request.body.username, password: request.body.password };// Validate somehowvalidate(user, function(isValid, profile) {var token = jwt.sign(profile, 'My Super Secret', {expiresInMinutes: 60});response.json({token: token});});
}
-- -
A logout (or invalidate) for the Session Store approach would require an update to the KeyValueStore database with the specified token. 要注销(或使会话存储方法无效),将需要使用指定的令牌更新KeyValueStore数据库。
It seems like such a mechanism would not exist in the token-based approach since the token itself would contain the info that would normally exist in the key-value store. 似乎这种机制在基于令牌的方法中将不存在,因为令牌本身将包含通常存在于键值存储中的信息。
#1楼
参考:https://stackoom.com/question/1UDeU/无效的JSON-Web令牌
#2楼
I too have been researching this question, and while none of the ideas below are complete solutions, they might help others rule out ideas, or provide further ones. 我也一直在研究这个问题,尽管以下所有想法都不是完整的解决方案,但它们可能会帮助其他人排除想法或提供其他想法。
1) Simply remove the token from the client 1)只需从客户端删除令牌
Obviously this does nothing for server side security, but it does stop an attacker by removing the token from existence (ie. they would have to have stolen the token prior to logout). 显然,这对服务器端安全没有任何帮助,但是它确实通过删除令牌来阻止攻击者(即,在注销之前,他们必须先窃取了令牌)。
2) Create a token blacklist 2)创建一个令牌黑名单
You could store the invalid tokens until their initial expiry date, and compare them against incoming requests. 您可以存储无效令牌,直到它们的初始到期日期,然后将它们与传入请求进行比较。 This seems to negate the reason for going fully token based in the first place though, as you would need to touch the database for every request. 不过,这似乎可以消除完全基于令牌的原因,因为您将需要为每个请求触摸数据库。 The storage size would likely be lower though, as you would only need to store tokens that were between logout & expiry time (this is a gut feeling, and is definitely dependent on context). 不过,存储空间可能会更小,因为您只需要存储注销和到期时间之间的令牌(这是一种直觉,并且绝对取决于上下文)。
3) Just keep token expiry times short and rotate them often 3)保持令牌的有效期限短并经常轮换
If you keep the token expiry times at short enough intervals, and have the running client keep track and request updates when necessary, number 1 would effectively work as a complete logout system. 如果您将令牌的到期时间保持在足够短的时间间隔内,并且让运行中的客户端在必要时跟踪并请求更新,则数字1将有效地用作完整的注销系统。 The problem with this method, is that it makes it impossible to keep the user logged in between closes of the client code (depending on how long you make the expiry interval). 这种方法的问题在于,它使得无法在关闭客户端代码之间保持用户登录状态(取决于您设置到期间隔的时间)。
Contingency Plans 临时计划
If there ever was an emergency, or a user token was compromised, one thing you could do is allow the user to change an underlying user lookup ID with their login credentials. 如果发生紧急情况或用户令牌被盗,您可以做的一件事是允许用户使用其登录凭据更改基础用户查找ID。 This would render all associated tokens invalid, as the associated user would no longer be able to be found. 这将使所有关联的令牌无效,因为将不再能够找到关联的用户。
I also wanted to note that it is a good idea to include the last login date with the token, so that you are able to enforce a relogin after some distant period of time. 我还想指出,在令牌中包含上次登录日期是个好主意,这样您就可以在很长一段时间后强制重新登录。
In terms of similarities/differences with regards to attacks using tokens, this post addresses the question: http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/ 关于使用令牌进行攻击的相似性/差异性,本文讨论了以下问题: http : //blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/
#3楼
I would keep a record of the jwt version number on the user model. 我会在用户模型上记录jwt版本号。 New jwt tokens would set their version to this. 新的jwt令牌会将其版本设置为此。
When you validate the jwt, simply check that it has a version number equal to the users current jwt version. 验证jwt时,只需检查其版本号是否等于用户当前的jwt版本。
Any time you want to invalidate old jwts, just bump the users jwt version number. 任何时候您想使旧的jwts失效,只需增加用户的jwt版本号即可。
#4楼
The ideas posted above are good, but a very simple and easy way to invalidate all the existing JWTs is simply to change the secret. 上面发布的想法很好,但是使所有现有JWT失效的非常简单的方法就是更改秘密。
If your server creates the JWT, signs it with a secret (JWS) then sends it to the client, simply changing the secret will invalidating all existing tokens and require all users to gain a new token to authenticate as their old token suddenly becomes invalid according to the server. 如果您的服务器创建了JWT,并用密钥(JWS)对其进行签名,然后将其发送给客户端,则只需更改密钥即可使所有现有令牌失效,并要求所有用户获得新令牌进行身份验证,因为他们的旧令牌突然变得无效到服务器。
It doesn't require any modifications to the actual token contents (or lookup ID). 它不需要对实际令牌内容(或查找ID)进行任何修改。
Clearly this only works for an emergency case when you wanted all existing tokens to expire, for per token expiry one of the solutions above is required (such as short token expiry time or invalidating a stored key inside the token). 显然,这仅在您希望所有现有令牌都到期时才适用于紧急情况,因为对于每个令牌到期,都需要上述解决方案之一(例如较短的令牌到期时间或使令牌内的存储密钥无效)。
#5楼
An approach I've been considering is to always have an iat (issued at) value in the JWT. 我一直在考虑的一种方法是在JWT中始终具有一个iat (发布于)值。 Then when a user logs out, store that timestamp on the user record. 然后,当用户注销时,将该时间戳记存储在用户记录中。 When validating the JWT just compare the iat to the last logged out timestamp. 验证JWT时,只需将iat与上次注销的时间戳进行比较即可。 If the iat is older, then it's not valid. 如果iat年龄较大,则无效。 Yes, you have to go to the DB, but I'll always be pulling the user record anyway if the JWT is otherwise valid. 是的,您必须去数据库,但是如果JWT有效,无论如何我都会一直拉用户记录。
The major downside I see to this is that it'd log them out of all their sessions if they're in multiple browsers, or have a mobile client too. 我看到的主要缺点是,如果它们在多个浏览器中,或者也有移动客户端,则将其从所有会话中注销。
This could also be a nice mechanism for invalidating all JWTs in a system. 这对于使系统中的所有JWT无效也是一种很好的机制。 Part of the check could be against a global timestamp of the last valid iat time. 在检查的一部分可能是对的最后一个有效全局时戳iat时间。
#6楼
I'm a bit late here, but I think I have a decent solution. 我在这里有点晚,但是我认为我有一个不错的解决方案。
I have a "last_password_change" column in my database that stores the date and time when the password was last changed. 我的数据库中有一个“ last_password_change”列,该列存储上次更改密码的日期和时间。 I also store the date/time of issue in the JWT. 我还将发布的日期/时间存储在JWT中。 When validating a token, I check if the password has been changed after the token was issued and if it was the token is rejected even though it hasn't expired yet. 验证令牌时,我检查密码在颁发令牌后是否已更改,并且即使令牌尚未过期也被拒绝。
无效的JSON Web令牌相关推荐
- 如何使用json开发web_如何通过使用JSON Web令牌简化应用程序的身份验证
如何使用json开发web by Sudheesh Shetty 由Sudheesh Shetty 如何通过使用JSON Web令牌简化应用程序的身份验证 (How to simplify your ...
- web api json_使用JSON Web令牌对Node ES6 API进行身份验证
web api json In this guide, we'll be implementing token based authentication in our own node.js A.P. ...
- jwt令牌_jwt-cli:用于解码JSON Web令牌(JWT令牌)的Shell库
jwt令牌 当我开始经常需要解码JSON Web令牌时,我感到迫切需要编写允许我快速进行操作的程序. 有很多不错的选项,例如jwt.io ,但是一旦您需要执行此操作,它通常就会变得笨拙. 并且,如果您 ...
- jwt-cli:一个用于解码JSON Web令牌(JWT令牌)的Shell库
当我开始经常需要解码JSON Web令牌时,我感到迫切需要编写允许我快速进行操作的程序. 有很多不错的选项,例如jwt.io ,但是一旦您需要执行此操作,它通常就会变得笨拙. 而且,如果您需要处理多个 ...
- 带有Spring Cloud Microservices的JSON Web令牌
在Keyhole,我们已经发布了几个有关微服务的博客 . 我们已经讨论了微服务环境中使用的架构模式,例如服务发现和断路器 . 我们甚至在平台和工具上发布了博客,例如最近关于Service Fabric ...
- web api json_有关使用JSON Web令牌保护无服务器API的速成班
web api json What a mouthful of a title. Wouldn't you agree? In this walkthrough you'll learn about ...
- 10分钟了解JSON Web令牌(JWT)
JSON Web Token(JWT)是目前最流行的跨域身份验证解决方案.虫虫今天给大家介绍JWT的原理和用法. 1.跨域身份验证 Internet服务无法与用户身份验证分开.一般过程如下. 1.用户 ...
- Java JWT:用于Java和Android的JSON Web令牌
JWT根据维基百科的定义,JSON WEBToken(JWT,读作 [/dʒɒt/]),是一种基于JSON的.用于在网络上声明某种主张的令牌(token).JWT通常由三部分组成: 头信息(heade ...
- RFC7515- JSON Web Signature (JWS)(JSON Web签名)
RFC7515- JSON Web Signature (JWS) 目录 摘要(Abstract) 1. 简介(Introduction) 1.1 符号约定(Notational Convention ...
最新文章
- 一个由跨平台产生的浮点数bug | 有你意想不到的结果
- R语言应用实战-基于R的C4.5算法和C5.0算法原理解析及应用案例
- HashMap方法源码
- 火炬之光2找不到服务器,火炬之光2无法运行解决办法详细介绍
- static、volatile、synchronize
- 我们是否能信任算法?不信任又能怎么办?
- 50行以上c语言程序代码,C语言非常简单的字符统计程序50行
- 【Git】Git修改Repository语言类型
- 深度学习笔记(46) 深度卷积网络学习
- 非常实用的面试题,也可以当作学习资料(转载)
- java笔记之字符串,字符串数组,ListString的相互转换
- 使用HTML编写简单的邮件模版
- wpsa4排版_WPS2000如何快速排版
- Python学习笔记——python基础之python中for......else......的使用
- 电脑文件丢失你都是怎么找回来的?
- 关于计算机的英语演讲稿三分钟,三分钟电脑的英文演讲稿5篇.doc
- 从顺丰到菜鸟,洋女婿“爆改”俄罗斯邮政
- 使用HTML+CSS技术制作篮球明星介绍网站
- 网盘直链下载 windows 和 mac 都能使用 (油猴+FMD+直链脚本)
- S32Kxxx bootloader之CAN bootloader