在通用React应用程序上存储JWT令牌
[英]Storing JWT token on an universal React application
问题描述
I have an universal React application using Redux, React-routerV4, MySQL and Sequelize. 
我有一个使用Redux,React-routerV4,MySQL和Sequelize的通用React应用程序。 I am trying to protect some routes, and I'm using Passport for that, like in this tutorial: https://hptechblogs.com/using-json-web-token-react/ 我正在尝试保护一些路由,并且为此使用了Passport,例如本教程中所示: https : //hptechblogs.com/using-json-web-token-react/
Usually with JWT storing on web browser is recommended, because you don't have to make request to the DB everytime you load a route. 通常,建议使用JWT在Web浏览器上存储,因为您不必在每次加载路由时都向DB发送请求。 But in the case of an Application with SSR this is not useful, because the components loaded by the server can't access LocalStorage or SessionStorage . 但是,对于具有SSR的应用程序,这没有用,因为服务器加载的组件无法访问LocalStorage或SessionStorage 。
I am thinking if storing the token in a cookie is better in the case of universal applications… Any idea? 我在考虑在通用应用程序中将令牌存储在cookie中是否更好……有什么想法吗?
Thanks! 谢谢!
1 个解决方案
解决方案1
0 2018-06-18 01:07:59
If you need SSR support, storing in a cookie is the better option. 如果需要SSR支持,则将cookie存储在更好的选择中。 Alternatively, you can use libs like node-localstorage , if you don't mind serializing to disk on server-side. 另外,如果您不介意序列化到服务器端的磁盘,则可以使用诸如node-localstorage之类的库。
However, storing JWTs in either local storage or cookie is a bad idea - since you're essentially storing username/password in plain sight. 但是,将JWT存储在本地存储或cookie中不是一个好主意-因为您实际上是在清晰可见的情况下存储用户名/密码。 If that is a concern, then you should be creating a session identifier (or similar), then store that in a signed cookie with httpOnly flag and then use that identifier to access sensitive information on server. 如果这是一个问题,那么您应该创建一个会话标识符(或类似标识符),然后将其存储在带有httpOnly标志的签名 cookie中,然后使用该标识符访问服务器上的敏感信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.