分享下 rest api 设计必读 https://auth0.com/blog/2014/01/27/ten-things-you-should-know-about-tokens-and-cookies/#token-storage
摘翻第一件事:
In the context of tokens being used on single page applications, some people have brought up the issue about refreshing the browser, and what happens with the token. The answer is simple: you have to store the token somewhere: in session storage, local storage or a client side cookie. Most session storage polyfills fallback to cookies when the browser doesn't support it.
在单页应用中,有人会问如果用户刷新页面怎么办,总要保存 tokens 吧。答案很简单:保存 token 在某些地方 session storage, local storage 或者 a client side cookie. 如果浏览器不支持,大部分 session storage polyfills 会回拨到 cookies.
If you are wondering "but if I store the token in the cookie I'm back to square one". Not really, in this case you are using cookies as a storage mechanism, not as an authentication mechanism (i.e. the cookie won't be used by the web framework to authenticate a user, hence no XSRF attack)
你可能会好奇“如果我保存 token 到 cookie, 我不是回到最开始了么”。在利用 cookies 做存储机制(不是验证 j 机制)的情况下,其实不会。(因为 cookie 不会被 web framework 拿来验证用户,所以便没有 XSRF 攻击)
剩下的懒得翻译了,反正论坛里没人看不懂英文。