Updated: 2018-09-26 02:21:10 CST +08

JWT - JSON Web Token

Purpose

Store data in client side, which could be read by can’t be modified.

Authentication
Authorization

Structure

base64(header).base64(payload).signature

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJEaW5vIExhaSIsInN1YiI6ImRpbm9zODAxNTJAZ21haWwuY29tIiwiYXVkIjoiZGlub2xhaS5jb20iLCJleHAiOjE1MzczNTcyNjIsImlhdCI6MTUzNzM1NzE2MiwidXNlcklkIjo4MDE1Mn0.YaLyoBs8z5Va7YsIQaC6uEZDw8GZHBiV_2hIUSVQYUs

{
    "alg": "HS256", // algorithm
    "typ": "JWT" // type
}

Payload

{
    "iss": "Dino Lai", // issuer
    "sub": "dinos80152@gmail.com", // subject
    "aud": "dinolai.com", // audience
    "exp": 1537357262, // expiration time
    "iat": 1537357162, // issued at
    "userId": 80152 // custom field
}

Signature

Encrypt by algorithm defined in header

HmacSHA256(base64(header)+"."+base64(payload), $secret)

Flow

Comparison

Comparison	JWT	Cookie	Session
Side	Client	Client	Server
Visible	✓	✓	☓
Tamper	☓	✓	☓
Identify	✓	☓	✓
additional resource	spend computing for en/decode, encrypt		diskIO or network IO

JWT - JSON Web Token

Purpose

Structure

Header

Payload

Signature

Flow

Comparison

Reference