如果我正在构建一个通过 Oauth 进行身份验证的应用程序,那么使用 cookie 进行会话是否有意义?
这是一个开放式问题,我很好奇人们的想法:当你有一个使用 twitter Oauth 进行身份验证的应用程序来设置“记住我”cookie 时,这有意义吗?这样,它就不必访问 Oauth 服务,并且可以在设定的时间段内重新创建会话?
我希望这一点很清楚。好奇你的想法。
This is an open ended question that I was curious what people thought: Does it make sense, when you have an app that uses twitter Oauth for authentication to set a "Remember Me" cookie? This way, it wouldn't have to hit the Oauth service and could recreate the session if it's been in a set time period?
I hope this is clear. Curious about your thoughts.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
这仅取决于您希望在通过使用 Twitter 登录之前等待多长时间授权流程。如果您的 cookie 持续时间很长,他们就不会经常重复该流程,但如果有人窃取 cookie,他们将可以访问更长时间。不利的一面是,如果他们退出 Twitter 并且 cookie 过期,他们就必须通过 Twitter 进行身份验证。这实际上取决于哪种安全性和令牌过期对您的 Web 应用程序有意义。
It just depends on how long you want to wait before you send users back through the Sign in with Twitter auth flow. If you have cookies last for a long time they don't have repeat the flow as often but if someones steals the cookies they will have access for a longer period of time. On the downside if they log out of Twitter and the cookie expires they then have to authenticate with Twitter. It really depends on what kind of security and token expiration makes sense for your web application.
OAuth 与 cookie 无关。您应该存储您的访问令牌并使用它直到它过期。访问令牌过期是服务器控制的过程,您必须处理 HTTP 未经授权的情况,并获取新的访问令牌。
在您的应用程序中拥有“记住我”功能就是您的应用程序逻辑。您仍然可以控制是否每次都向用户显示 Twitter 的身份验证屏幕。请记住,如果您的过期超时时间长于 Twitter 的访问令牌生命周期,那么您将必须让最终用户再次进行身份验证。
OAuth has nothing to do with cookies. You should be storing your access token and using it until it expires. The access token expiration is a server controlled process and you must handle a case where you are given HTTP Unauthorized and go get a new access token.
Having a "remember me" functionality in your app is your app logic. You still can control if you want to show Twitter's auth screen to the user every time or not. Just keep in mind that if your expiration timeout is longer than twitter's access token lifespan then you'll have to make end user authenticate again.
应该没关系。当应用程序使用 OAuth 时,它会取回一个令牌,该令牌应与您的帐户信息一起存储。然后,当你回来时,它可以查找令牌并使用它来访问你的 Twitter 帐户。
如果您没有 cookie,您只需登录该应用程序,它就会存储您的令牌。如果这样做,那么您可以跳过该登录步骤。在这两种情况下,您都不需要再次登录 Twitter(直到令牌过期)。
It shouldn't matter. When the app uses OAuth, it gets back a token that it should store with your account information. Then, when you come back, it can look up the token and use that for access to your Twitter account.
If you don't have a cookie, you can just log in to the app, and it will have your token stored. If you do, then you can skip that login step. In neither case will you have to log in to Twitter again (until the token expires).