Simple understanding of token mechanism

Others 2022-04-28 18:07:36 views: 0

 

what is token

Token means "token", which is a string of strings generated by the server as an identifier for the client to make a request.

When the user logs in for the first time, the server generates a token and returns the token to the client. In the future, the client only needs to bring this token to request data, without the need to bring the user name and password again.

The composition of a simple token; uid (the user's unique identity), time (timestamp of the current time), sign (signature, the first few digits of the token are a hexadecimal string of a certain length compressed by a hash algorithm. prevent token leakage).

 

Identity Authentication Overview

Since HTTP is a stateless protocol, it does not know who is accessing our application. Here, the user is regarded as a client. The client uses the username and password to pass the authentication, but the next time the client sends a request, it has to be authenticated again.

The general solution is that when the user requests to log in, if there is no problem, a record is generated on the server side, in which the logged-in user can be specified, and then the id of this record is sent to the client, and the client After receiving the id, store the id in the cookie. The next time the user sends a request to the server, he can bring the cookie, so that the server will verify the information in the cookie to see if it can be found on the server. If possible, it means that the user has passed the authentication, and the data requested by the user is returned to the client.

The process described above is to use session, and that id value is sessionid. We need to store the session generated for the user on the server side. These sessions will be stored in memory, disk, or database.

 

Authentication based on token mechanism

The authentication method using the token mechanism does not need to store the user's login record on the server side. Approximate process:

  1. The client requests a login with a username and password.
  2. The server receives the request and verifies the username and password.
  3. After the verification is successful, the server will generate a token, and then send the token to the client.
  4. After the client receives the token, it stores it, which can be placed in a cookie or in Local Storage.
  5. Every time the client sends a request to the server, it needs to bring the token sent by the server.
  6. The server receives the request, and then verifies that the client request carries the token. If the verification is successful, it returns the requested data to the client.

Using the token mechanism for login authentication, you can use the following methods:

a. Use the device mac address as the token

Client: The client obtains the mac address of the device when logging in, and passes it to the server as a parameter

Server: After the server receives the parameter, it uses a variable to receive it, saves it in the database as a token, and sets the token to the session. Each time the client requests a unified interception, the token passed by the client is compared with the token in the server-side session. If the same, the login is successful, and the difference is rejected.

In this way, the client and the server unify a unique identifier, and each device is guaranteed to have a unique identifier. The disadvantage is that the server needs to save the mac address; the advantage is that the client does not need to log in again, it can always be used after logging in once, and the server will handle the timeout problem.

b. Use sessionid as token

Client: The client logs in with the user name and password

Server: After receiving the username and password, verify it, and return the locally obtained sessionid as a token to the client. The client only needs to bring the requested data in the future.

The advantage of this method is that it is convenient and does not need to store data. The disadvantage is that when the session expires, the client must log in again to request data.

Of course, for some applications with high confidentiality, a combination of two methods can be adopted, and the device mac address and user name and password are used as tokens for authentication at the same time.

 

APP uses the token mechanism for identity authentication

When the user logs in to the APP, the APP will send the encrypted user name and password to the server, and the server will verify the user name and password. If the verification is successful, it will generate a corresponding number of characters and store it in the server as a token, and return the token to the server. APP side.

In the future, when the APP requests again, the token must be brought wherever verification is required, and the server will verify the token and return the required result successfully, and return an error message if it fails, allowing the user to log in again. Among them, the server will set a validity period for the token, and the token and the validity period are verified every time the APP requests.

 

storage of tokens

The token can be stored in the database, but it may take too long to query the token and the token will be lost.

In order to avoid the query time being too long, the token can be placed in memory. In this way, the query speed is definitely not a problem, and you don't need to worry too much about occupying memory. Even if the token is a 32-bit string, the number of users of the application is in the millions or tens of millions, and it does not take up much memory.

 

Encryption of tokens

Tokens are easily leaked, and if they are not encrypted, they can easily be maliciously copied and used to log in. The encryption methods generally include:

  1. When storing, the token is symmetrically encrypted and stored, and decrypted when it is used.
  2. The signature sign mentioned at the beginning of the article: the request URL, timestamp, and token are combined and encrypted through an algorithm.

It is best to use a combination of the two methods.

Another point is that at the network level, it is very dangerous if the token is transmitted in clear text, so the HTTPS protocol must be used.

 

This article is reproduced from https://www.toutiao.com/i6499626658574631437/

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=326483145&siteId=291194637
Recommended
Ranking
ElasticSearch-- data modeling best practices
Permission Maintenance - Shadow User Backdoor
Refactor the code using MVP mode
Quantitative investment-fundamental model-PVC multi-factor model
Spark Big Data Processing Lecture Notes 3.2 Mastering RDD Operators
Blazor page components (2)
Erlernen von Kenntnissen zur Android-Entwicklung – Kodierung, Verschlüsselung, Hash, Serialisierung und Zeichensätze
About Qi high in JAVA study notes SORM summary detailed personal explanation
Will you calculate the accuracy of the rope displacement sensor in the measurement?
OPENJTAG debugging learning (3): debugging using the gdb command line
Daily
More
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)

Code World

© 2018 codetd.com