It's quite common to store the JWToken in a cookie and even send said cookie to the server in requests (instead of adding the auth header).
Using a secure cookie (HttpOnly
, SameSite=strict
, secure
) is more secure than localStorage, while there is always risks with storing credentials on the client.
当涉及到用户信息时,如果您需要的信息不是太多,那么其中一些实际上可以作为自定义声明存储在JWT中.这样,您不需要从数据库获取"基本数据",而只需在解析(和验证)后从JWT访问它.