Shulou(Shulou.com)06/01 Report--

Where to store JWT, I believe that many inexperienced people do not know what to do, so this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

JWT is a way to make web applications stateless.

1. First get the JWT Token.

HTTP/1.1

POST / token

Host: galaxies.com

Content-Type: application/x-www-form-urlencoded

Username=abc&password=password

The server returns

HTTP/1.1 200 OK

{

"access_token": "eyJhbGciOiJIUzI1NiIsI.eyJpc3MiOiJodHRwczotcGxlL.mFrs3Zo8eaSNcxiNfvRh9dqKP4F1cB"

"expires_in": 3600

}

Next time you request, you need to bring this token with you so that the server can verify it.

two。 Store Token in LocalStorage or SessionStorage

Function tokenSuccess (err, response) {

If (err) {

Throw err

}

$window.sessionStorage.accessToken = response.body.access_token

}

The next request needs to be accompanied by Token:

HTTP/1.1

GET / stars/pollux

Host: galaxies.com

Authorization: Bearer eyJhbGciOiJIUzI1NiIsI.eyJpc3MiOiJodHRwczotcGxlL.mFrs3Zo8eaSNcxiNfvRh9dqKP4F1cB

Disadvantages:

Because both LocalStorage and SessionStorage can be accessed by javascript, they are vulnerable to XSS attacks. In particular, many third-party Javascript class libraries are used in the project.

In addition, an application is required to ensure that Token is transmitted only under HTTPS.

3. Store Token in Cookie

HTTP/1.1 200 OK

Set-Cookie: access_token=eyJhbGciOiJIUzI1NiIsI.eyJpc3MiOiJodHRwczotcGxlL.mFrs3Zo8eaSNcxiNfvRh9dqKP4F1cB; Secure; HttpOnly

Subsequent requests need to be accompanied by Token

GET / stars/pollux

Host: galaxies.com

Cookie: access_token=eyJhbGciOiJIUzI1NiIsI.eyJpc3MiOiJodHRwczotcGxlL.mFrs3Zo8eaSNcxiNfvRh9dqKP4F1cB

Advantages:

You can specify httponly to prevent it from being read by Javascript, or you can specify secure to ensure that token is only transmitted under HTTPS.

Disadvantages:

Does not comply with Restful best practices.

Vulnerable to CSRF attacks (Refer and Origin can be checked on the server side)

4. It is recommended to use Cookie to store Token

Comparatively speaking, Web Storage is more vulnerable than Cookie.

After reading the above, have you mastered the method of where to store the JWT? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.