Difference Between Token And JWT

admin 2021-09-22 15:31:00 0 0 Others 83 已编辑 复制链接

- JWT is stateless, means server do not store it. It is just responsible for dispatching jwt after successful authentication and verifying it. It is CLIENT that is responsible for storging and sending requests with it contained in HTTP header after authentication succeeded. Therefore, it is a decoupled disign. One obvious benefit is that it reduces queries against storage, like database or Redis. But, on the other hand, it is also a disadvantage. Because server do not store it, if we want to log out our accounts, as a user, I have no way to achieve that. And, furthermore. If our JWT are stolen by bad guys. I still have no way to log out. What's worse, your encrypt algrithem may by hacked. In that way, they can easily generate fake ones to access real users resource. Second, jwt is not a plain random text, it is consist of three parts, namely header, payload and signature. Usually, we would pack user info into payload, like user id and gender etc, but not sensitve info like password, phone num. It store meaningful information. But, one the other hand, it also increase network traffic because of longer text than normal token.

- TOKEN I think is a opposite to JWT. It is used in more secure scenarios. Server do store tokens. It will generate a random string which do not contains any info about binding user. The only thing you should do well is that you must make sure the random string generated must be unique in your system. To be more frank, you can not generate duplicate random string relating to two users. In that case, the relatetionship between token and user is not one-to-one, so you will get other users info which is not we respect.