{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 再贱就再见 的问题《Token based authentication and scalability? An ill》','https://www.manongdao.com/q-541893.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I just read The Ins and Outs of Token-based Authentication. It claims scalability is the main issue with server based Authentication since server has to store sessions locally. And it prompts token based authentication as the cure.
But really?
Authentication is just one of the possible places that could cause scalability issue. As long as there's ANY user-specific state info stored on server-side, no matter it is stored at session scope or web application scope, that will also cause scalability issue. It is overly exaggerated to say token based authentication alone can solve scalability issue. There are too many other factors which are much stronger ones. Just because token-based authentication is stateless doesn't mean the whole server CAN BE stateless.
Let's take JWT as an example, by the definition of JWT:
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
I don't think JWT is suitable for storing state info beyond authentication data. Because the common reasonable places for JWT storage all have small size limit, such as HTTP header, Cookie.
Do you agree? Anyone could shed some light on this?
Whether or not your application needs session state for other things does not affect the scalability characteristics of using JWT tokens.
It's perfectly possible to design a true stateless application, in which case the use of token based authentication allows you to remain stateless.
You should not use security tokens to store session info as tokens are signed and session info is usually volatile. The issuer would need to resign the token each time one of the claims changes.