What is JWT?
definition
trait
Using JWT to transmit data actually transmits a string, which is the so-called json web token string. So in a broad sense, JWT is a standard name; In a narrow sense, JWT refers to a token string used for delivery. This string has two characteristics:
structure
It consists of three parts: header, payload and signature. This string originally had only one line, but now it is divided into three lines just to distinguish its structure. )
The difference between conversation and conversation
Why compare JWT with Session? Because we mainly use JWT for each authentication request, before that, we used sessions. What's the difference between them?
The meaning of itself
After reading the previous introduction, we found that the JWT string itself actually contains user information, such as user name, permissions, roles and so on.
The Sessionid passed by the session is a simpler string, but it has no meaning in itself.
So generally speaking, the chord of JWT is longer than sessionId. The longer you store information in JWT, the longer JWT itself will be.
The storage capacity of Cookie is limited (generally 4KB), so you need to pay attention when using them.
Analysis
JWT's header and payload are actually json transformed, and the signature is actually an encrypted string, so it is relatively simple to parse and does not need other auxiliary contents.
SessionId is the identifier of the user object stored by the server. Theoretically, additional maps are needed to find out the information of current users.
Management method
JWT is theoretically used for stateless requests, so its user management only depends on itself. We usually add an expiration time to its payload, and it can only expire automatically without additional management.
Sessions are stored on the server, so there are many management schemes, and most of them are mature.
cross platform
JWT itself is based on json, so cross-platform is easier. Packages of different platforms can be downloaded from official website and analyzed.
Cross-platform of session may not be so easy to do. What needs to be considered is the format of user information storage, ProtoBuf, json, xml and so on. If you manage it, you may need a special unified login platform, so this will not be expanded.
in time
Once a stateless JWT is generated, it will have nothing to do with the server. Once the relevant data in the server is updated, the data stored in stateless JWT will become obsolete because it cannot be updated.
The conversation is different. SessionId itself does not make much sense, just modifying the data stored in the server.
Applicable scenario
JWT
The best use of JWT is one-time authorization Token. In this case, the characteristics of the token are as follows:
An example of a real scene file hosting service consists of two parts:
How to use JWT in this scenario?
meeting
Session is more suitable for session management of Web applications, and its characteristics generally include:
abstract