Since the request initiated by the APP to the server belongs to cross-domain access, a new session will be generated on the server for each access. Therefore, the APP client is different from the web side and cannot maintain the login state through the session.
In order to maintain the login status of app users, we can use tokens to achieve this.
The client enters the account password and initiates a login request. After the server passes the authentication of the login interface, it returns an arbitrary string to the client, namely token. The generation algorithm can be random. The token must be associated with the user's account, such as formed by userid and token. Key-value pairs, stored in memory (redis). After the client gets this token, it is equivalent to being recognized by the server that the normal login is successful. In all subsequent requests that need to be verified, the token is brought, and the server verifies whether the token exists and whether it is valid.
For security reasons, the token is regenerated every time you log in, and the validity period can be set. The timestamp of the token is updated after each valid operation to ensure that the validity period of the token will continue in the future.
In order to avoid token interception and forge illegal requests, each request can be signed with userid+token+timestamp+key+request parameters, and the server verifies the token and the signature at the same time to ensure the security of the request.
APP and server remain logged in
Guess you like
Origin http://10.200.1.11:23101/article/api/json?id=327077081&siteId=291194637
Recommended
Ranking