JWT / HttpOnly

发表于2018-02-04|更新于2026-05-05|技术

|浏览量:

JWT / HttpOnly

JWT

Json Web Token,代替cookie session,解决CSRF（Cross Site Request Forge）。包括header,payload，签名,存储在客户端Loal Storage中。

1	header = '{"alg":"HS256","typ":"JWT"}'

1	payload = '{"loggedInAs":"admin","iat":1422779638}'//iat表示令牌生成的时间

1
2
3

key = 'secretkey'  
unsignedToken = encodeBase64(header) + '.' + encodeBase64(payload)  
signature = HMAC-SHA256(key, unsignedToken)

token = encodeBase64(header) + '.' + encodeBase64(payload) + '.' + encodeBase64(signature) 

# token看起来像这样: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI3Nzk2Mzh9.gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpyHI

http header

1	Authorization: Bearer eyJhbGci...<snip>...yu5CSpyHI

HttpOnly

cookie头中一个属性，避免CSS（Cross Site Script).JS不能读取Cookie, 只能服务端读。e

文章作者: 老实

文章链接: https://shidonghua.9631369.xyz/2018/02/03/201802/2018-02-04-httponly/

版权声明: 本博客所有文章除特别声明外，均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来源石头记！

相关推荐

Docker Cheat Sheet

Docker Cheat SheetWant to improve this cheat sheet? See the Contributing section! Table of Contents Why Docker Prerequisites Installation Containe...

sleuth & zipkinsleuthSpring Cloud Sleuth (org.springframework.cloud:spring-cloud-starter-sleuth), once added to the CLASSPATH, automatically in...

reactor组件组件描述 Initiation Dispatcher 管理（注册，删除，回调）event handler， Synchronous Event Demultiplexer IO多路分发器，epoll/select Handle socket, NIO C...

jdk6 升级到 jdk8 注意事项二进制兼容源代码兼容中间件（tomcat/spring）开源库版本升级 jvm启动参数permSize->meta space spring3 -> spring 4 代码覆盖率工具 emma -> Jacoco 通过设置 ...

Java Securerandom

##Java Random Number Generation In the Linux operating system, there is a special device file that can be used as a random number generator or pseu...

数据加载中