使用Token时…

需要联邦。例如，您希望使用一个提供者(令牌分发器)作为令牌颁发者，然后使用api服务器作为令牌验证器。应用程序可以向令牌分发器进行身份验证，接收令牌，然后将该令牌提交给api服务器进行验证。(同样适用于谷歌登录。或贝宝。或Salesforce.com。等)

Asynchrony is required. For example, you want the client to send in a request, and then store that request somewhere, to be acted on by a separate system "later". That separate system will not have a synchronous connection to the client, and it may not have a direct connection to a central token dispensary. a JWT can be read by the asynchronous processing system to determine whether the work item can and should be fulfilled at that later time. This is, in a way, related to the Federation idea above. Be careful here, though: JWT expire. If the queue holding the work item does not get processed within the lifetime of the JWT, then the claims should no longer be trusted.

客户需要签署请求。在这里，请求由客户端使用他的私钥签署，服务器将使用客户端已经注册的公钥进行验证。

使用Token时…

需要联邦。例如，您希望使用一个提供者(令牌分发器)作为令牌颁发者，然后使用api服务器作为令牌验证器。应用程序可以向令牌分发器进行身份验证，接收令牌，然后将该令牌提交给api服务器进行验证。(同样适用于谷歌登录。或贝宝。或Salesforce.com。等)

Asynchrony is required. For example, you want the client to send in a request, and then store that request somewhere, to be acted on by a separate system "later". That separate system will not have a synchronous connection to the client, and it may not have a direct connection to a central token dispensary. a JWT can be read by the asynchronous processing system to determine whether the work item can and should be fulfilled at that later time. This is, in a way, related to the Federation idea above. Be careful here, though: JWT expire. If the queue holding the work item does not get processed within the lifetime of the JWT, then the claims should no longer be trusted.

客户需要签署请求。在这里，请求由客户端使用他的私钥签署，服务器将使用客户端已经注册的公钥进行验证。

A typical web app is mostly stateless, because of its request/response nature. The HTTP protocol is the best example of a stateless protocol. But since most web apps need state, in order to hold the state between server and client, cookies are used such that the server can send a cookie in every response back to the client. This means the next request made from the client will include this cookie and will thus be recognized by the server. This way the server can maintain a session with the stateless client, knowing mostly everything about the app's state, but stored in the server. In this scenario at no moment does the client hold state, which is not how Ember.js works.

在Ember.js中情况有所不同。Ember.js使程序员的工作变得更容易，因为它确实在客户端为您保存了状态，可以随时了解其状态，而不必向服务器请求状态数据。

然而，在客户端保存状态有时也会引入在无状态情况下不存在的并发问题。然而，Ember.js也为您处理这些问题;具体地说，ember-data是基于这一点构建的。总之，Ember.js是为有状态客户端设计的框架。

Ember.js不像典型的无状态web应用程序那样，会话、状态和相应的cookie几乎完全由服务器处理。Ember.js将其状态完全保存在Javascript中(在客户端的内存中，而不是像其他框架那样在DOM中)，并且不需要服务器来管理会话。这导致Ember.js在许多情况下更加通用，例如当你的应用程序处于离线模式时。

显然，出于安全原因，每次发出请求时都需要向服务器发送某种令牌或唯一密钥，以便进行身份验证。通过这种方式，服务器可以查找发送令牌(最初由服务器发出)，并在将响应发送回客户端之前验证它是否有效。

在我看来，使用认证令牌而不是在Ember Auth FAQ中所述的cookie的主要原因是Ember.js框架的性质，也因为它更适合有状态的web应用程序范例。因此，cookie机制并不是构建Ember.js应用程序的最佳方法。

我希望我的回答能让你的问题更有意义。

我认为这里有些混乱。基于cookie的身份验证与HTML5 Web Storage之间的显著区别在于，浏览器被构建为每当从设置它们的域请求资源时都发送cookie数据。如果不关掉cookie，你无法阻止这种情况。除非页面中的代码发送数据，否则浏览器不会从Web存储发送数据。页面只能访问自己存储的数据，而不能访问其他页面存储的数据。

因此，如果用户担心自己的cookie数据可能被谷歌或Facebook使用，可能会关闭cookie。但是，他们没有理由关闭网络存储(直到广告商也找到一种方法来使用它)。

所以，这就是基于cookie和基于令牌的区别，后者使用Web存储。

Tokens need to be stored somewhere (local/session storage or cookies) Tokens can expire like cookies, but you have more control Local/session storage won't work across domains, use a marker cookie Preflight requests will be sent on each CORS request When you need to stream something, use the token to get a signed request It's easier to deal with XSS than XSRF The token gets sent on every request, watch out its size If you store confidential info, encrypt the token JSON Web Tokens can be used in OAuth Tokens are not silver bullets, think about your authorization use cases carefully

http://blog.auth0.com/2014/01/27/ten-things-you-should-know-about-tokens-and-cookies/

http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/

简而言之:

JWT vs Cookie Auth

|                    | Cookie        | JWT                             |
| Stateless          | No            | Yes                             |
| Cross domain usage | No            | Yes                             |
| Mobile ready       | No            | Yes                             |
| Performance        | Low           | High (no need in request to DB) |
| Add to request     | Automatically | Manually (if not in cookie)     |