英文:
In Swift, should short-lived access token need to be stored in keychain?
问题
关于访问令牌的几乎所有答案都说你需要将其存储在钥匙串中,但是我正在实现的访问令牌在用户登录后仅有效5分钟。
访问令牌是由登录API返回的。
现在的实现方式是将它存储在钥匙串中,这会在操作系统暂停或终止应用程序时创建问题,这种情况发生在用户登录后从未注销时。没有100%的方法来检测这种情况。
由于设计不当,我们有一个现有的API,它在预登录或登录后调用,并且会根据是否传递了访问令牌而返回不同的响应,无效的访问令牌会被传递,即使用户刚刚启动了应用程序也会看到错误消息。
由于访问令牌的生存期很短,我想通过不将其保存在钥匙串中,而只将其保留在内存/单例变量中来解决这个问题,以便它只在应用程序处于活动/运行状态时存在。
对此有何看法?
英文:
Almost all answers about access token says you need to store it in keychain, however the access token I am implementing is only valid for 5 minutes after a user login.
The access token is returned by the login API.
Right now the implementation is it is being stored in keychain which then creates problems for customers since the access token is not cleared in keychain when the OS suspends or terminates the app, this happens when a user signs in and never signs out. There is no 100% way to detect this.
Due to a bad design, we have na existing API that is called in pre-login or post login, and will have different response that depends if you pass an access token, the invalid access token gets passed and the user sees an error even if he just launched the app.
Since the access token is short-lived, I want to fix this issue by not saving it in keychain and just keep it in memory/singleton variable so that it only lives for as long as the app is active/running.
Any thoughts on this?
答案1
得分: 1
如果数据仅在运行时使用,将其存储在钥匙串中没有任何好处。可能会想象到某些情况下,由于在不使用时清除令牌而有益,但实际上从内存中清除数据非常困难(特别是在Swift中),因此这不太可能有用。仅将数据存储在内存中,您肯定会在数据保护方面获得“同样好甚至更好”的效果。您绝对不会使情况变得更糟。
英文:
If the data is exclusively used while running, there is no benefit to storing it in the keychain. One might imagine cases where there were a benefit due to clearing the token when not in use, but it is incredibly difficult to actually clear data from memory (and especially in Swift), so this is unlikely to be useful. You're going to have somewhere between "just as good" and better data protection by only storing it in memory. You certainly won't make things worse.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论