确定 JWT 过期时间应该考虑什么?
What should I consider when determining JWT expiration time?
永不让JWT过期让用户自动登录不是有效吗?它有安全问题吗?
我不想使用会话和/或 cookie。他们是无效的。
IMO,它在令牌被盗时有效。如果你有一个无限的到期时间,入侵者可以在整个生命周期内访问受保护的资源。将其视为您的个人邮件密码。定期更改它通常是个好主意,这样如果有人在您不知情的情况下获得了您的密码,他将无法再次访问您的电子邮件。
话虽如此,过期时间并不是强制性的。
根据 this
The "exp" (expiration time) claim identifies the expiration time on
or after which the JWT MUST NOT be accepted for processing. The
processing of the "exp" claim requires that the current date/time
MUST be before the expiration date/time listed in the "exp" claim. Implementers MAY provide for some small leeway, usually no more than
a few minutes, to account for clock skew. Its value MUST be a number
containing a NumericDate value. Use of this claim is OPTIONAL.
永不让JWT过期让用户自动登录不是有效吗?它有安全问题吗?
我不想使用会话和/或 cookie。他们是无效的。
IMO,它在令牌被盗时有效。如果你有一个无限的到期时间,入侵者可以在整个生命周期内访问受保护的资源。将其视为您的个人邮件密码。定期更改它通常是个好主意,这样如果有人在您不知情的情况下获得了您的密码,他将无法再次访问您的电子邮件。 话虽如此,过期时间并不是强制性的。 根据 this
The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.