Article directory
For Token, it is used in many large websites, such as Facebook, Twitter, Google, Github, etc. Compared with traditional authentication methods, Token is more scalable and more secure, and is very suitable for use in web applications. or on the mobile app
1. Token-based authentication method
With Tokenthe , there is no need to store the user's login record on the server side. The approximate process is as follows:
- The client uses the username and password to request a login;
- The server receives the request to verify the username and password;
- After the verification is successful, the server will issue one
Token, and thenTokensend to the client; - After the client receives
Tokenit , it can be stored, such as inCookieorLocal Storagein; - Each time the client requests resources from the server, it needs to be signed by the server
Token; - The server receives the request, and then verifies the data contained in the client request
Token. If the verification is successful, it returns the requested data to the client.
2.JWT
There are many ways to implement Tokenverification, and there are some standard methods, for example JWT, read as: jot, which means: JSON Web Tokens . JWTThe standard Tokenhas three parts:
1. header(header), the header information mainly includes (parameter type – JWT, signature algorithm – HS256)
2. poyload(load), the load is basically the information you want to store (because the information will be exposed, no sensitive data should be added to the payload)
3. sign(Signature), the function of the signature is to prevent malicious data tampering
The middle is separated by a dot, and both use Base64 encoding, so the real Token looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJuaW5naGFvLm5ldCIsImV4cCI6IjE0Mzg5NTU0NDUiLCJuYW1lIjoid2FuZ2hhbyIsImFkbWluIjp0cnVlfQ.SwyHTEx_RQppr97g4J5lKXtabJecpejuef8AqKYMAJc
2.1 Header
HeaderThe part is mainly composed of two parts, one is Tokenthe type of , and the other is the algorithm used. For example, the following type is JWTthe algorithm used HS256.
{
"typ" : "JWT",
"alg" : "HS256"
}
The above content should be encoded Base64in the form of , so it becomes like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
2.2 Payload
PayloadTokenThere are specific contents of , some of which are standard fields, and you can also add other required contents. The following are standard fields:
- iss: Issuer, issuer
- sub: Subject, subject
- aud: Audience, audience
- exp: Expiration time, expiration time
- nbf:Not before
- iat: Issued at, release time
- jti: JWT ID ,
such as the one belowPayload, usesississuer ,expexpiration time, and two custom fields, one isnameand the other isadmin.
{
"iss" : "csdn.net",
"exp" : "201511205211314",
"name" : "维C果糖",
"admin" : true
}
After using the Base64encoding , it becomes like this:
eyJpc3MiOiJuaW5naGFvLm5ldCIsImV4cCI6IjE0Mzg5NTU0NDUiLCJuYW1lIjoid2FuZ2hhbyIsImFkbWluIjp0cnVlfQ
2.3 signatrue
The last part of the JWT is Signaturethat this part has three parts, which are first Base64encoded with header 和 payloadand then encrypted with an encryption algorithm. When encrypting, one should be put in Secret. This is equivalent to a password, which is stored secretly on the server .
header
payload
secret
var encodedString = base64UrlEncode(header) + "." + base64UrlEncode(payload);
HMACSHA256(encodedString, 'secret');
After processing it looks like this: SwyHTEx_RQppr97g4J5lKXtabJecpejuef8AqKYMAJc
the last token generated by the server and sent to the client looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJuaW5naGFvLm5ldCIsImV4cCI6IjE0Mzg5NTU0NDUiLCJuYW1lIjoid2FuZ2hhbyIsImFkbWluIjp0cnVlfQ.SwyHTEx_RQppr97g4J5lKXtabJecpejuef8AqKYMAJc
TokenAfter the client receives this, it will be stored, and it will be taken with it when it sends a request to the server next time Token. The server receives this Token, then verifies it, and returns the resource that the client wants after passing.
3. Web Security
Token, we call it "token", its biggest feature is randomness and unpredictability. Ordinary hackers or software cannot guess it. So, what does Token do? What is the principle?
Tokens are generally used in two places:
- Prevent form resubmission
- Anti CSRF attack (Cross Site Request Forgery)
Both are session token achieved . When a client requests a page, the server generates a random number Token, Tokenplaces the into session the , and sends the Tokento client (usually by constructing a hidden form). The next time the client submits a request, it Tokenwill be submitted to the server along with the form.
Then, if it is applied to " Anti CSRF攻击", the server will verify the Tokenvalue to determine whether it is equal sessionto the Tokenvalue in . If it is equal, it can prove that the request is valid and not forged. However, if it is applied to " prevent repeated submission of forms ", after the first verification on the server side is the same session, the Tokenvalue in will be updated . If the user submits repeatedly, the second verification judgment will fail, because the user submits the form in the Nothing has changed, but it has changed on the serverToken side .sessionToken
The above sessionapplication is relatively safe, but it is also called cumbersome. At the same time, when there are multiple pages and multiple requests, Tokenthe method of generating multiple pages at the same time must be adopted, which takes up more resources and reduces the execution efficiency. Therefore, the method of cookiestoring used instead session Token. For example, when dealing with "duplicate submissions", after the first submission, the submitted information will be written cookieinto . When the second submission is made, since cookiethere is already a submission record, the second submission will fail. However, cookie storage has an Achilles' heel . If the cookie is hijacked (XSS attacks are easy to get the user's cookie), then another game over, the hacker will directly achieve the CSRF attack . Therefore, safety and efficiency are relative, and specific problems are analyzed in detail!
In addition, to avoid the situation of "adding tokenbut not verifying", it sessionis added in token, but the server does token not verify the , which does not play a preventive role at all. It should also be noted that the addition, deletion, and modification operations that have changes to the database need to be token verified . For query operations, they must not be added tokento prevent attackers tokenfrom CSRF. But it's not that the attacker can't get tokenit, it just increases the cost of the attack.