我现在要做的项目Django是前后分离的,后端用的 Django。要使用QQ第三方登录。目前用的 python-social-oauth 做的 oauth2.0 登录。
现在的问题是,打算用 JWT + RESTFul 和服务器端做数据对接。问题是 如何将 JWT 的 token 发到前端呢?我打算是放到 cookie 里面。但是不知道这种方式有没有安全问题。
PHP中文网2017-04-17 17:15:46
Putting the token in the cookie is not called JWT. The following HTTP Header needs to be used to pass it to the server
Authorization: Bearer <token>
PHPz2017-04-17 17:15:46
Generally, the token is sent to the front-end when the user successfully logs in or registers successfully. The front-end can consider using cookies to store it, but don’t forget to use http-only. You can also use localStorage, sessionStorage and other mechanisms to store it, depending on your business needs. . In addition, because jwt is a base64 string generated according to certain rules, my personal suggestion is that the backend first uses AES or DES or other symmetric encryption methods to encrypt the token before issuing it to the front end. The front end brings the encrypted token before sending a request. This can increase the difficulty of cracking the token to a certain extent.