会话cookie
Are you new to web-development, feeling confused with different Web Storage elements?
您是Web开发的新手,对不同的Web存储元素感到困惑吗?
If yes, then you are at the right place This article will give you a brief explanation about sessions, cookies and tokens using its authentication techniques.
如果是,那么您来对地方了。本文将使用其身份验证技术为您简要介绍会话,cookie和令牌。
There are two different authentication techniques namely
有两种不同的身份验证技术,即
- Cookie/Session-based Authentication 基于Cookie /会话的身份验证
- Token-based authentication 基于令牌的身份验证
什么是Cookie和会话? (What are cookies and sessions?)
In simple words, Cookies and Sessions are files used to store information.
简而言之,Cookie和会话是用于存储信息的文件。
它们有何不同 (How do they differ)
Cookies are text files stored only on the client-side machine, where sessions create a file in a temporary directory on the server to store variables. Variables inside sessions help us to track user activities.
Cookies是仅存储在客户端计算机上的文本文件 , 会话在会话 服务器上的临时目录中创建文件以 存储变量。 会话中的变量可帮助我们跟踪用户活动。
Cookies get stored in the browser where sessions are not.
Cookies会存储在没有会话的浏览器中。
Cookies can keep the information until it gets deleted where sessions get destroyed whenever the user tries to close a browser. Sessions will end by the server over a predetermined period, commonly 30 minutes duration.
Cookies可以保留信息,直到它被删除为止,无论何时用户尝试关闭浏览器, 会话都会被破坏。 服务器将在预定的时间段(通常为30分钟)内结束会话。
Variables defined inside a cookie helps the user from providing credentials for authentication every time. Variables inside a session help to track the user activity using cookies in the browser.
Cookie内定义的变量可帮助用户提供身份验证凭据 每次。 会话中的变量有助于使用浏览器中的cookie跟踪用户活动。
Cookies can only store strings where sessions can store in the form of objects (JSON).
Cookies只能存储字符串 , 会话可以以对象(JSON)的形式存储。
A cookie can store information only up to 4000 bytes (4 KB).
Cookie最多只能存储4000字节 (4 KB)的信息。
Cookies get saved in the browser for future reference. The server sends a set of cookies to the browser. For example name, age, or identification number etc.which helps in latter user authentications. where sessions are completely lost whenever the user closes the browser.
Cookies将保存在浏览器中,以备将来参考。 服务器将一组cookie发送到浏览器。 例如名称,年龄或标识号等,有助于以后的用户认证。 当用户关闭浏览器时, 会话将完全丢失。
基于Cookie的身份验证 (Cookie Based Authentication)
To understand this, we need get back to basics. Consider you are going to login to your bank account using website.
要理解这一点,我们需要回到基础。 考虑您将要使用网站登录到您的银行帐户 。
On the login page, you have to enter your credentials. Based on the credentials, the server tries to pick up your user record from the database and generates a Session-Id using your credentials. The server will pass session id to the browser to store in cookies. Cookies in our browser help the server to track user activities and helps the user from providing credentials in latter authentications over a period of time.
在登录页面上,您必须输入凭证 。 根据凭据,服务器尝试从数据库中提取您的用户记录,并使用您的凭据生成会话ID 。 服务器将会话ID传递给浏览器以存储在cookie中。 我们浏览器中的Cookie可以帮助服务器跟踪用户活动,并在一段时间内帮助用户在以后的身份验证中提供凭据。
Whenever the user tries to logout, the server will clear session Id and instructs the browser to destroy the cookie stored during the authentication. This process is called Cookie Based Authentication.
每当用户尝试注销时,服务器都会清除会话ID,并指示浏览器销毁身份验证期间存储的cookie。 此过程称为基于Cookie的身份验证 。
Cookie-based authentication has been the default, tried-and-true method for handling user authentication for a very long time.
基于Cookie的身份验证一直以来都是处理用户身份验证的默认,可靠的方法。
Cookie-based authentication is stateful. The term Stateful refers to generating and maintaining the sessions inside the server.
基于Cookie的身份验证是有状态的 。 术语“ 有状态”是指在服务器内部生成和维护会话。
什么是代币? (What are Tokens?)
Similar to cookies and sessions, tokens used to store user information. Unlike cookies and sessions, Tokens built with optional signature and/or optional encryption with payload holds a small piece of user information in a format of JSON.
类似于Cookie和会话,令牌 用于存储用户信息。 与cookie和会话不同, 令牌是内置的 带有可选签名和/或带有有效负载的可选加密的内容,会以JSON格式保存一小部分用户信息。
Using a private secret or a public/private key, tokens generates it signature. That makes our tokens strong. The tokens get signed by one party’s private key (usually the server’s) so that party can then verify the token is legitimate.
令牌使用私有秘密或公共/私有密钥来生成其签名。 这使我们的代币变得强大。 令牌由一方的私钥(通常是服务器的私钥)签名,以便一方可以随后验证令牌是否合法。
基于令牌的身份验证 (Token-Based Authentication)
Although cookie-based authentication is successful. Token-based authentication has gained prevalence over the last few years due to the rise of single-page applications, web APIs, and the Internet of Things (IoT). When we talk about authentication with tokens, we generally talk about authentication with JSON Web Tokens (JWTs).
尽管基于cookie的身份验证成功 。 由于单页应用程序,Web API和物联网(IoT)的兴起,基于令牌的身份验证在过去几年中越来越流行。 当我们谈论使用令牌进行身份验证时,通常会谈论使用JSON Web令牌 (JWT)进行身份验证。
Consider the same banking application. I need to keep track of daily expenses to control the expenditure. But it’s been difficult for me to remember my day-to-day expenses. Then I found an app in an AppStore that keeps a track of my expenses, which will satisfy my needs.
考虑相同的银行业务应用程序。 我需要跟踪日常支出以控制支出。 但是我很难记住自己的日常开支。 然后,我在AppStore中找到了一个可以跟踪我的支出的应用程序,可以满足我的需求。
But we can’t directly give our bank credentials to that app. Instead, the app gets our bank account number that makes a request to our bank server, get access to reading our transaction details.
但是我们无法直接将银行凭据提供给该应用。 相反,该应用会获取向我们的银行服务器发出请求的银行帐号,并有权读取我们的交易详细信息。
Our bank server will provide the app access to read our transaction details based on the user’s confirmation.
我们的银行服务器将根据用户的确认向应用提供访问权限,以读取我们的交易详细信息。
In this place, using cookie-based authentication will lead us to some CORS (Cross-Origin Resource Sharing) issues.
在这个地方,使用基于cookie的身份验证将导致我们遇到一些CORS (跨源资源共享)问题。
Tokens saves information only on client-side environments and it will not have any impact on cross platforms(CORS issues).
令牌仅在客户端环境中保存信息,并且不会对跨平台产生任何影响(CORS问题)。
From the above use case, we can conclude that authentication using tokens are far better in cross-platforms over traditional cookie-based authentication.
从上述用例中,我们可以得出结论,在跨平台中使用令牌进行的身份验证要比传统的基于cookie的身份验证要好得多。
Token-based authentication is stateless. The server does not keep any record of user activities.
基于令牌的身份验证是无状态的 。 服务器不保留任何用户活动记录。
The token is generally sent in the header with a property named Authorization of value Bearer { JWT Token}.
令牌通常在标头中发送,其标题为“值承载 授权 {JWT令牌}”。
Authorization: Bearer <token>It can also be attached with the body of a POST request or even as a query parameter.
它也可以附加在POST请求的正文中,甚至可以附加为查询参数。
基于令牌的身份验证比基于Cookie的身份验证的优势 (Advantages of Token-based authentication over Cookie Based Authentication)
无状态 (Stateless)
Being Stateless is the most important advantage over cookies, that reduces the load to the server from tracking user activities.
与Cookie相比, 无状态是最重要的优势,它可以减少跟踪用户活动对服务器的负担。
Each token is self-contained, containing all the data required to check it’s validity as well as convey user information through claims.
每个令牌都是独立的,包含检查其有效性以及通过声明传达用户信息所需的所有数据。
客户端存储 (Client Storage)
With a cookie-based approach, you will store only in the form of strings. JWT’s, however, allows you to store any type of metadata, as long as it’s valid JSON.
使用基于cookie的方法,您将仅以字符串形式存储。 但是,JWT允许您存储任何类型的元数据,只要它是有效的JSON。
Web storage API like session-storage and local-storage helps to store tokens in the browser.
会话存储和本地存储等Web存储API有助于将令牌存储在浏览器中。
Maximum Storage limit of Web API Storage is 10 Mb(Local storage). Using Npm package IdleTimer, we can control the expiration time of Web API storages.
Web API存储的最大存储限制为10 Mb(本地存储)。 使用Npm包IdleTimer ,我们可以控制Web API存储的到期时间。
CORS问题 (CORS issues)
Cookies work well with singular domains and subdomains, but it becomes difficult when it comes to managing cookies across different domains. Through Token-based authentication, we can avoid such errors as its stores token only in the client environment. Which makes it a good choice over cross-platform applications.(Mobile / Web).
Cookies在单个域和子域中都可以很好地工作,但是在跨域管理cookie时就变得很困难。 通过基于令牌的身份验证,我们可以避免诸如仅在客户端环境中存储令牌之类的错误。 这使其成为跨平台应用程序(移动/ Web)的不错选择。
Token-Based Authentication using JWT is the more recommended method in modern web apps. One drawback with JWT is that the size of JWT is not much bigger. JSON object in JWT should contain only necessary information and avoid adding sensitive information to prevent XSS security attacks.
在现代Web应用程序中 ,更推荐使用JWT 进行基于令牌的身份验证 。 JWT的一个缺点是JWT的大小不会太大。 JWT中的JSON对象应仅包含必要的信息,并避免添加敏感信息以防止XSS安全攻击。
Thanks for reading.Happy coding😊.
感谢您的阅读。快乐的编码😊。
翻译自: https://medium.com/swlh/cookies-vs-sessions-vs-tokens-3280be9c3059
会话cookie
704
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
