javascript - 无效的JSON Web令牌(Invalidating JSON Web Tokens)

Question

For a new node.js project I'm working on, I'm thinking about switching over from a cookie based session approach (by this, I mean, storing an id to a key-value store containing user sessions in a user's browser) to a token-based session approach (no key-value store) using JSON Web Tokens (jwt).

(对于我正在研究的一个新的node.js项目，我正在考虑从基于cookie的会话方法切换（这意味着，将ID存储到用户浏览器中包含用户会话的键值存储中）到使用JSON Web令牌（jwt）的基于令牌的会话方法（无键值存储）。)

The project is a game that utilizes socket.io - having a token-based session would be useful in such a scenario where there will be multiple communication channels in a single session (web and socket.io)

(该项目是一个利用socket.io的游戏-在单个会话（web和socket.io）中会有多个通信渠道的情况下，基于令牌的会话将非常有用。)

How would one provide token/session invalidation from the server using the jwt Approach?

(如何使用jwt方法从服务器提供令牌/会话无效？)

I also wanted to understand what common (or uncommon) pitfalls/attacks I should look out for with this sort of paradigm.

(我还想了解我应该用这种范例寻找哪些常见（或不常见）的陷阱/攻击。)

For example, if this paradigm is vulnerable to the same/different kinds of attacks as the session store/cookie-based approach.

(例如，如果此范例易受与基于会话存储/ Cookie的方法相同/不同类型的攻击的攻击。)

So, say I have the following (adapted from this and this ):

(因此，说我有以下内容（适应了this和this ）：)

Session Store Login:

(会话商店登录：)

app.get('/login', function(request, response) {
    var user = {username: request.body.username, password: request.body.password };
    // Validate somehow
    validate(user, function(isValid, profile) {
        // Create session token
        var token= createSessionToken();

        // Add to a key-value database
        KeyValueStore.add({token: {userid: profile.id, expiresInMinutes: 60}});

        // The client should save this session token in a cookie
        response.json({sessionToken: token});
    });
}

Token-Based Login:

(基于令牌的登录：)

var jwt = require('jsonwebtoken');
app.get('/login', function(request, response) {
    var user = {username: request.body.username, password: request.body.password };
    // Validate somehow
    validate(user, function(isValid, profile) {
        var token = jwt.sign(profile, 'My Super Secret', {expiresInMinutes: 60});
        response.json({token: token});
    });
}

--

(-)

A logout (or invalidate) for the Session Store approach would require an update to the KeyValueStore database with the specified token.

(要注销（或使会话存储方法无效），将需要使用指定的令牌更新KeyValueStore数据库。)

It seems like such a mechanism would not exist in the token-based approach since the token itself would contain the info that would normally exist in the key-value store.

(似乎这种机制在基于令牌的方法中将不存在，因为令牌本身将包含通常存在于键值存储中的信息。)

  ask by funseiki translate from so

Answer 1

I too have been researching this question, and while none of the ideas below are complete solutions, they might help others rule out ideas, or provide further ones.

(我也一直在研究这个问题，尽管以下所有想法都不是完整的解决方案，但它们可能会帮助其他人排除想法或提供其他想法。)

1) Simply remove the token from the client

(1）只需从客户端删除令牌)

Obviously this does nothing for server side security, but it does stop an attacker by removing the token from existence (ie. they would have to have stolen the token prior to logout).

(显然，这对服务器端安全没有任何帮助，但是它确实通过删除令牌来阻止攻击者（即，在注销之前，他们必须先窃取了令牌）。)

2) Create a token blacklist

(2）创建一个令牌黑名单)

You could store the invalid tokens until their initial expiry date, and compare them against incoming requests.

(您可以存储无效令牌，直到它们的初始到期日期，然后将它们与传入请求进行比较。)

This seems to negate the reason for going fully token based in the first place though, as you would need to touch the database for every request.

(不过，这似乎可以消除完全基于令牌的原因，因为您将需要为每个请求触摸数据库。)

The storage size would likely be lower though, as you would only need to store tokens that were between logout & expiry time (this is a gut feeling, and is definitely dependent on context).

(不过，存储空间可能会更小，因为您只需要存储注销和到期时间之间的令牌（这是一种直觉，并且绝对取决于上下文）。)

3) Just keep token expiry times short and rotate them often

(3）保持令牌的有效期限短并经常轮换)

If you keep the token expiry times at short enough intervals, and have the running client keep track and request updates when necessary, number 1 would effectively work as a complete logout system.

(如果您将令牌的到期时间保持在足够短的时间间隔内，并且让运行中的客户端在必要时跟踪并请求更新，则数字1将有效地用作完整的注销系统。)

The problem with this method, is that it makes it impossible to keep the user logged in between closes of the client code (depending on how long you make the expiry interval).

(这种方法的问题在于，它使得无法在关闭客户端代码之间保持用户登录状态（取决于您设置到期间隔的时间）。)

Contingency Plans

(临时计划)

If there ever was an emergency, or a user token was compromised, one thing you could do is allow the user to change an underlying user lookup ID with their login credentials.

(如果发生紧急情况或用户令牌被盗，您可以做的一件事是允许用户使用其登录凭据更改基础用户查找ID。)

This would render all associated tokens invalid, as the associated user would no longer be able to be found.

(这将使所有关联的令牌无效，因为将不再能够找到关联的用户。)

I also wanted to note that it is a good idea to include the last login date with the token, so that you are able to enforce a relogin after some distant period of time.

(我还想指出，在令牌中包含上次登录日期是个好主意，这样您就可以在很长一段时间后强制重新登录。)

In terms of similarities/differences with regards to attacks using tokens, this post addresses the question: http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/

(关于使用令牌进行攻击的相似性/差异性，本文讨论了以下问题： http : //blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/)