Take you to understand session, cookie, token and JWT

Others 2021-01-26 20:40:10 views: null

table of Contents

session和cookie

Nowadays, session and cookie are generally used together and mentioned together. But the two of them don't have to be together.

First of all, keep in mind that the http protocol is stateless. In other words, when a request comes, the server does not know whether the requested user has already logged in, and does not know his status. This request can only be redirected to the login page. So the user is crazy, why keep letting me log in.

So, the predecessors thought of a way, after logging in for the first time, record a session id (sessionId) on the server side to record the user and its status. Then return the sessionId to the browser. The browser records this sessionId in the cookie, and brings it with the next request. In this way, the server gets the sessionId in the cookie from the request, and checks it in its own storage (usually using redis) to get the user's status. After that, you can proceed with the following operations happily.

In short:

  1. Session is on the server side, cookie is on the browser side
  2. Cookie is only one of the ways to realize session. Although it is the most commonly used, it is not the only method. There are other ways to store after disabling cookies, such as putting in the url
  3. Now the back-end services are all distributed deployments, and sessions are generally placed in a redis cluster. One problem with this is that once redis fails, it may affect all user requests.

Therefore, it is very important and dangerous to store and operate the session in the background, and the reliability requirements are very high.

There have always been two ways to solve the problem, one is to solve the problem, and the other is to solve the problem itself.

So, is it possible for us not to store the session?

token

It is actually possible. Think step by step like this:

  1. If we say that all the information is stored in the cookie, it will be fine as long as the cookie passes the user's id and status to the server.
  2. However, this is very dangerous. Users can forge cookies at will, and it is very easy to be hijacked.
  3. So, the question becomes, how to ensure safety?
  4. The answer is to sign. When the user logs in for the first time, the server uses algorithms such as SHA256 to encrypt the data. It's called a token.

    Insert picture description here

The next time the browser brings the encrypted token, the server uses the same algorithm to encrypt the data once, and compares the results of the two encryptions. If they are equal, the verification is passed.

Insert picture description here
Because the private key only needs to be known by the server. Therefore, the request from the user cannot be forged. In this way, the server does not need to laboriously save session data. The server is stateless. Even if the traffic increases greatly, just add servers.

Advantages of token:

  • Stateless and scalable
  • Support mobile devices (mobile devices do not have cookies)
  • Cross-program call
  • Safety

Most of the APIs and web applications you have seen now use tokens. For example, Facebook, Twitter, Google+, GitHub, etc.

JWT

We know that token technology is a good thing, so how do we use it?

JWT is an implementation of token, and it is basically the de facto standard in the java web field.

The full name of JWT is JSON Web Token. It can basically be seen that the token is transmitted in JSON format

JWT consists of 3 parts:

  • Header: Describe the metadata of the JWT. The algorithm for generating the signature and the type of Token are defined.
  • Payload (load): used to store the actual data that needs to be transferred
  • Signature: The server generates the signature algorithm (HMAC SHA256 by default) specified in the Header through Payload, Header and a secret key (secret).

JWT process:

In a Token-based authentication application, when a user logs in, the server creates a token through Payload, Header and a secret (secret) and sends the token to the client.

Then the client saves the Token in Cookie or localStorage, and all subsequent requests sent by the client will carry this token. You can put it in the Cookie and send it automatically, but this cannot be cross-domain, so it is better to put it in the Authorization field of the HTTP Header: Authorization: your Token.

Insert picture description here
JWT and Oauth2.0
Oauth 2.0 is an authorization mechanism that is used to authorize third-party applications and obtain user data. In fact, it and JWT are not at the same level. Oauth2.0 is a convenient third-party authorization specification, and JWT is a token structure specification. It's just that JWT is often used for login authentication, and Oauth2.0 also involves login during authorization, so it is easier to confuse.

Guess you like

Origin blog.csdn.net/QiuHaoqian/article/details/109109300
Recommended
Domestic cloud input method - only Huawei has no cloud data upload security issues
Open Source Daily | Industrial open source project OGG 1.0; Sister, do you want to configure Firefox with me? Apple AI is far behind? Fedora 40
Ranking
Deploy Tomcat (Web) services Comments
jquery: event mechanism bind() on()
The simple and easy-to-understand basic encapsulation module makes Web testing easier!
Oracle Database on Linux solutions Chinese garbled
Talk about the REST API of Eureka Server
Instructions for companies applying for ISO certification
Spring mvc framework adds encryption/decryption of messages
Transport layer protocol-introduction of TCP protocol and the process of three-way handshake and four-time disconnection, and the difference with UDP protocol
MockMvc and Mockito - java.lang.AssertionError: JSON path "$" Expected: a collection with size <2> but: collection size was <0>
Redis cluster creation
Daily
More
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)
2024-04-16(23)
2024-04-15(5)

Code World

© 2018 codetd.com