Summary of cookie, session, JWT authentication classification

Others 2021-02-27 21:54:23 views: null

Summary of cookie, session, JWT authentication classification:

In a session, N requests can be made to the server. Through a mechanism, the server can establish contact with the client. This mechanism is called the session mechanism. Maintaining the association between a user and different requests issued by the same user between multiple HTTP connections is called maintaining a session. Among them, cookie is based on the browser-side session technology, and session is based on the server-side session technology. Sessions usually rely on cookies.

One, cookie analysis:

It exists on the client. When the user logs in correctly, the server will plant a cookie on the user's browser, which contains user information, so that the server can identify the identity when logging in again and return user information. You can set the lifetime of each cookie

In the cookie format, there is an expiress, which is used to set the validity period.
The maxAge usage is simpler and recommended.

<script>
res.cookie("username","jack",{
     
     maxAge:90000});//用户名,存活时间9s
res.cookie("username","jack",{
     
     expiress:new Date(Date.now()+90000)})
</script>

Disadvantages: 1) Not very secure, users can modify the content in the cookie at will.
2) The size of the saved data is limited, and the number of cookies saved by each browser is also limited.
3) If the client setting prohibits cookies, the cookie cannot be established.

Two, session analysis:

The session data is stored on the server. When the user logs in successfully for the first time, the server automatically generates a session. A unique identification session-id will be created and responded to the client. The client will bring it with each subsequent request. session-id, so that the server can identify the identity. Of course, the session is also based on cookies. The unique identifier created is stored in the local cookie. If the expiration time is not set, the cookie will not be stored on the hard disk. It will disappear when the browser is closed, and the session-id will be lost. If the survival time is set, the cookie will be saved in the client hard disk. Even if the browser is closed, the session-id will still exist next time you visit, and you need to configure it to use the session.

The server can pass the value of the session-id through URL rewriting, and does not completely rely on cookies. If the client disables cookies, the server can also save the value of the session through the URL.

Use session: introduce express-session (a plug-in) and set as follows

<script>
let session = require('express-seeeion')
let app = express();
app.use(session({
     
     
	secret:'keyboard cat'//密钥
	resave:false,
	saveUninitialized:teue,
	cookie:{
     
     maxAge:100000}
}))
</script>

Disadvantages: 1) The session will be saved on the server for a certain period of time. When the access increases, it will occupy the performance of the server.
2) Generally, the server will save the session for 30 minutes by default, and it will be automatically destroyed after the time has passed.
3) If the client setting prohibits cookies, the cookie cannot be established.
4) Scalability, even if the session is stored in redis as a file, high-traffic data reading will occur for a distributed system.
5) Vulnerable to csrf attacks

Three, JWT authentication analysis:

Replace the traditional session-cookie mode with a token for the server, and the client transmits information to the server.
After the client successfully logs in for the first time, the server will return a token to the client, and the client will cache the token from the response, for example, store it in the browser’s local stroage, and each subsequent request will carry the token to the server. verification.

Advantages: 1) jwt does not use session, reducing expenses.
2) jwt is simple in structure and occupies a few bytes.
3) The json format is universal.

<script>
let jwt = require('jsonwebtoken');//引入jwt模块
let app = express();
let secretKey = "asd";//定义密钥
let tokenstr = jwt.sing({
     
     username:userInfo.username},secretKey,{
     
     expresIn:'120s'})//生成token  在发送请求时把token放在请求头header上可以保证每次客户端向服务器发送请求时都有token,以便服务器识别。
</script>

Add in the request header: Authorize: bearer token.

Guess you like

Origin blog.csdn.net/Fairyasd/article/details/108291075
Recommended
Ranking
Diving into the Quartz Task Scheduler
Maven introduction configuration and nexus private server construction
An early warning for synthetic biology: beware of "malicious DNA intrusion" by computer hackers
buy apples
centos의 시스템은 python2와 함께 제공되지만 pip 명령을 사용할 수 없습니다.
FEC [Chopsticks Morning Post] Monday, April 20, 2020
[Transfer] [SpringBoot] Briefly describe the three methods of springboot project startup data loading memory
Depending on your previous work experience or study to describe software development, testing process, which is responsible role, what you do
Freescale chip clock analysis
uniapp initiates a network request
Daily
More
2024-04-16(23)
2024-04-15(5)
2024-04-14(0)
2024-04-13(18)
2024-04-12(5)
2024-04-11(0)
2024-04-10(1)
2024-04-09(0)
2024-04-08(1)
2024-04-07(0)

Code World

© 2018 codetd.com