刷新后如何使先前的JWT令牌无效
[英]How to invalidate previous JWT token after refresh
问题描述
In our application new JWT token is returned in a cookie each time user sends a request, even though previous has still much lifetime. 
在我们的应用程序中,每次用户发送请求时,新的JWT令牌都会以cookie的形式返回,即使前一个的生存期仍然很大。 If user makes multiple request in a short period of time, there exists multiple valid tokens almost full lifetime on each. 如果用户在短时间内发出多个请求,则每个上都会存在多个有效令牌,它们的生命周期几乎满了。 Browser is of course using the latest one, but someone may still use the previous ones to impersonate user. 浏览器当然是使用最新的浏览器,但仍有人可能会使用以前的浏览器来模拟用户。
Is there way to invalidate the previous token when dispatching a new one, or is the only choice to dispatch new token only when there is not much lifetime on the last one? 分派一个新令牌时,是否有办法使上一个令牌无效?或者只有当最后一个令牌的生存期不多时,才是分配新令牌的唯一选择?
1 个解决方案
解决方案1
3 2017-01-05 19:42:39
The only way to 'invalidate' tokens is by keeping track of them statefully. 使令牌“无效”的唯一方法是有状态地跟踪它们。
This usually means doing something like keeping a key/value cache of tokens that are valid, and invalid, and checking incoming request tokens against these lists on each request. 这通常意味着要做一些事情,例如保留有效和无效令牌的键/值缓存,并根据每个请求上的这些列表检查传入的请求令牌。
The downside to doing things this way is that you lose a lot of the 'stateless' benefits of JWTs (since you are still checking a centralized store for token validity), but the benefit is that you can be more 'secure' by immediately revoking tokens you no longer want service-able. 这种方式的缺点是,您失去了JWT的许多“无状态”好处(因为您仍在检查集中存储中的令牌有效性),但好处是可以通过立即撤销来更加“安全”您不再希望服务的令牌。
One workaround is to have your access tokens be extremely short lived (5 minutes or so), to minimize any abuse. 一种解决方法是使访问令牌的寿命极短(大约5分钟),以最大程度地减少滥用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.