Web authentication and session maintenance (session, token)

0. The current role of cookies is mainly as a browser storage solution . Cookies can be used to remember passwords locally in the browser .
1. session :
   (1) The browser stores session_id (encrypted), and the server stores a detailed list of user login status. The session_id will be carried when sending the request, and the current login status of the user can be obtained after the server is authenticated.
   (2) For browsers that support cookies, session_id is generally stored in a cookie and sent with the cookie when sending a request; for browsers that do not support cookies, session_id will use URL rewriting technology to combine session_id into the URL: http://www.test.com/test;jsessionid=ByOK3vjFD75aPnrF7C2HmdnV6QZcEbzWoWiBYEnLerjQ99zWpBng!-145788764or form hiding technology : <form name="testform" action="/xxx"> <input type="hidden" name="jsessionid" value="ByOK3vjFD75aPnrF7C2HmdnV6QZcEbzWoWiBYEnLerjQ99zWpBng!-145788764″> <input type="text"> </form>
   (3) disadvantages: the server maintains a user's login status of the server storage pressure increases; the server to do load balancing horizontal expansion, the browser needs to send a request to the server containing the corresponding session.
2. token :
   (1) Optimize the session to solve the problem of server level expansion.
   (2) Higher security. The token is generally recorded in the browser's WebStorage (sessionStorage or localStorage), and carried in the header when requested. Carrying the token in the header (without using cookies) can effectively prevent CSRF attacks
   (3) The token is stateless. After the server decrypts the token, it can directly obtain the user_id corresponding to the token and its login status.

Thoroughly understand cookie, session, token