JWT / HttpOnly

JWT

Json Web Token,代替cookie session,解决CSRF（Cross Site Request Forge）。包括header,payload，签名,存储在客户端Loal Storage中。

header = '{"alg":"HS256","typ":"JWT"}'

payload = '{"loggedInAs":"admin","iat":1422779638}'//iat表示令牌生成的时间

key = 'secretkey'  
unsignedToken = encodeBase64(header) + '.' + encodeBase64(payload)  
signature = HMAC-SHA256(key, unsignedToken) 

token = encodeBase64(header) + '.' + encodeBase64(payload) + '.' + encodeBase64(signature) 

# token看起来像这样: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI3Nzk2Mzh9.gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpyHI

http header

Authorization: Bearer eyJhbGci*...<snip>...*yu5CSpyHI

HttpOnly

cookie头中一个属性，避免CSS（Cross Site Script).JS不能读取Cookie, 只能服务端读。e