问题
How to decide which authentication to use for authentication. (Ex: Forms based Authentication or Token Based Authentication).
What are the merits of using Token based Authentication over forms/session/cookie based authetication. I have read multiple articles online but still unclear.
Can anyone explain me how to choose between these two for web and mobile platform user authentication.
回答1:
JWT is better unless you have a specific need that I'm not aware of.
Session requires cookies and cookies only works in the browser JWT: essentially, data in JSON format so you can work with it in different platform.
Also, JWT is more secured. You would be vulnerable to CSRF attacks if you're using cookies as a persistent authentication mechanism. A hacker can trick the victim into his website and click something buttons and his request would be sent as the victim because cookies are sent automatically with each request.
With JWT, you can store it in whatever your storage is, i.e: localStorage for desktop. JWT is mannually send with each request from you. So the above scenario won't happen.
Can a hacker modify your JWT in localStorage and add more claims, i.e: change the user type from 'user' to 'admin', nope!. It requires some private key which only the server has. You can try Auth0 and test it out in jwt.io.
Those are the key points, imo. There are other benefits but you can easily find out via google.
回答2:
I use token baes with a RESTful api, and session based with web application (excluding SAP's since I typically build an api to handle the service layer).
The main reasoning here is simple for me, with any api i want everything sent in the header or the body. As such token based is the way to go. With MVC however, I don't care since I am rendering the views and not just data.
来源:https://stackoverflow.com/questions/47999855/difference-between-forms-based-authentication-and-token-based-authetication