Article directory
For Token, it is used in many large websites, such as Facebook, Twitter, Google, Github, etc. Compared with traditional authentication methods, Token is more scalable and more secure, and is very suitable for use in web applications. or on the mobile app
1. Token-based authentication method
With Token
the , there is no need to store the user's login record on the server side. The approximate process is as follows:
- The client uses the username and password to request a login;
- The server receives the request to verify the username and password;
- After the verification is successful, the server will issue one
Token
, and thenToken
send to the client; - After the client receives
Token
it , it can be stored, such as inCookie
orLocal Storage
in; - Each time the client requests resources from the server, it needs to be signed by the server
Token
; - The server receives the request, and then verifies the data contained in the client request
Token
. If the verification is successful, it returns the requested data to the client.
2.JWT
There are many ways to implement Token
verification, and there are some standard methods, for example JWT
, read as: jot
, which means: JSON Web Tokens
. JWT
The standard Token
has three parts:
1. header
(header), the header information mainly includes (parameter type – JWT, signature algorithm – HS256)
2. poyload
(load), the load is basically the information you want to store (because the information will be exposed, no sensitive data should be added to the payload)
3. sign
(Signature), the function of the signature is to prevent malicious data tampering
The middle is separated by a dot, and both use Base64 encoding, so the real Token looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJuaW5naGFvLm5ldCIsImV4cCI6IjE0Mzg5NTU0NDUiLCJuYW1lIjoid2FuZ2hhbyIsImFkbWluIjp0cnVlfQ.SwyHTEx_RQppr97g4J5lKXtabJecpejuef8AqKYMAJc
2.1 Header
Header
The part is mainly composed of two parts, one is Token
the type of , and the other is the algorithm used. For example, the following type is JWT
the algorithm used HS256
.
{
"typ" : "JWT",
"alg" : "HS256"
}
The above content should be encoded Base64
in the form of , so it becomes like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
2.2 Payload
Payload
Token
There are specific contents of , some of which are standard fields, and you can also add other required contents. The following are standard fields:
- iss: Issuer, issuer
- sub: Subject, subject
- aud: Audience, audience
- exp: Expiration time, expiration time
- nbf:Not before
- iat: Issued at, release time
- jti: JWT ID ,
such as the one belowPayload
, usesiss
issuer ,exp
expiration time, and two custom fields, one isname
and the other isadmin
.
{
"iss" : "csdn.net",
"exp" : "201511205211314",
"name" : "维C果糖",
"admin" : true
}
After using the Base64
encoding , it becomes like this:
eyJpc3MiOiJuaW5naGFvLm5ldCIsImV4cCI6IjE0Mzg5NTU0NDUiLCJuYW1lIjoid2FuZ2hhbyIsImFkbWluIjp0cnVlfQ
2.3 signatrue
The last part of the JWT is Signature
that this part has three parts, which are first Base64
encoded with header 和 payload
and then encrypted with an encryption algorithm. When encrypting, one should be put in Secret
. This is equivalent to a password, which is stored secretly on the server .
header
payload
secret
var encodedString = base64UrlEncode(header) + "." + base64UrlEncode(payload);
HMACSHA256(encodedString, 'secret');
After processing it looks like this: SwyHTEx_RQppr97g4J5lKXtabJecpejuef8AqKYMAJc
the last token generated by the server and sent to the client looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJuaW5naGFvLm5ldCIsImV4cCI6IjE0Mzg5NTU0NDUiLCJuYW1lIjoid2FuZ2hhbyIsImFkbWluIjp0cnVlfQ.SwyHTEx_RQppr97g4J5lKXtabJecpejuef8AqKYMAJc
Token
After the client receives this, it will be stored, and it will be taken with it when it sends a request to the server next time Token
. The server receives this Token
, then verifies it, and returns the resource that the client wants after passing.
3. Web Security
Token, we call it "token", its biggest feature is randomness and unpredictability. Ordinary hackers or software cannot guess it. So, what does Token do? What is the principle?
Tokens are generally used in two places:
- Prevent form resubmission
- Anti CSRF attack (Cross Site Request Forgery)
Both are session token
achieved . When a client requests a page, the server generates a random number Token
, Token
places the into session
the , and sends the Token
to client (usually by constructing a hidden
form). The next time the client submits a request, it Token
will be submitted to the server along with the form.
Then, if it is applied to " Anti CSRF攻击
", the server will verify the Token
value to determine whether it is equal session
to the Token
value in . If it is equal, it can prove that the request is valid and not forged. However, if it is applied to " prevent repeated submission of forms ", after the first verification on the server side is the same session
, the Token
value in will be updated . If the user submits repeatedly, the second verification judgment will fail, because the user submits the form in the Nothing has changed, but it has changed on the serverToken
side .session
Token
The above session
application is relatively safe, but it is also called cumbersome. At the same time, when there are multiple pages and multiple requests, Token
the method of generating multiple pages at the same time must be adopted, which takes up more resources and reduces the execution efficiency. Therefore, the method of cookie
storing used instead session Token
. For example, when dealing with "duplicate submissions", after the first submission, the submitted information will be written cookie
into . When the second submission is made, since cookie
there is already a submission record, the second submission will fail. However, cookie
storage has an Achilles' heel . If the cookie is hijacked (XSS attacks are easy to get the user's cookie), then another game over, the hacker will directly achieve the CSRF
attack . Therefore, safety and efficiency are relative, and specific problems are analyzed in detail!
In addition, to avoid the situation of "adding token
but not verifying", it session
is added in token
, but the server does token
not verify the , which does not play a preventive role at all. It should also be noted that the addition, deletion, and modification operations that have changes to the database need to be token
verified . For query operations, they must not be added token
to prevent attackers token
from CSRF
. But it's not that the attacker can't get token
it, it just increases the cost of the attack.