http protocol: simple, fast, connectionless, and stateless. There is no correlation between multiple requests and they are independent.
1. Cookie authentication
1. What is a cookie?
A cookie is a small piece of text information generated on the server and stored on the client. The format is a dictionary, key-value pair.
2. Classification of cookies
Session level: save the content, it will be lost when the browser is closed
Persistence: save the hard disk, it will be cleared only when the expiration time is up
3. How to view cookies
name,value、domain、path、express、size
4. How does cookie implement authentication (principle)
When the client accesses the server for the first time, the server will generate a cookie, and then transmit it to the client through the corresponding header in Set-Cookie. The client will automatically bring these cookies from the 2-N request.
Fatal weakness: cookies are saved on the client side, for some sensitive information, user name, password, ID card. unsafe
The first interface:
The second interface:
Two, session authentication
When the user visits the server for the first time, then save a sessionid on the server side, the sessionid is encrypted, and then save the sessionid to the client through the cookie, and then only send the sessionid when requesting the server.
sessionid is stored in server memory.
Achilles' heel: The problem of insecure cookies has been solved, but new problems have emerged. When the number of users is particularly large, it will cause the server to crash.
Server cluster: Request IP binding, session replication, single sign-on.
The first interface:
The second interface:
3. Token authentication
When a user logs in, a token is sent to him, and the next time the user requests again, he only needs to bring this token.
The token can be saved in a file or in a database through packet capture (http) .
Encryption:
Symmetric encryption: des aes
double key encryption: RSA
Only encrypt but not decrypt: md5 SHA
token classification:
access_token: has a time limit, limited to 15 minutes
refresh_token: generally 15 days
The first interface:
The second interface:
4. What are the similarities and differences between cookie, session and token?
The same point: they are all used for authentication, and they are all generated by the server.
the difference:
(1) The cookie is stored on the client, and the session is stored on the server. The security of the session is higher than that of cookies. Therefore, under normal circumstances, put important information in the session, and put unimportant information in cookies.
(2) The session exists in the server memory, and the token exists in the server's embarrassment or database. The advantage of the token is that it saves server resources more than the session. The token only needs to be decrypted on the server.
Automation level:
Tools: postman, jmeter
Code: excuse association, cookie authentication, session authentication, web automation use cookie to skip verification code
New problems have emerged: third-party payment, banks, financial projects, and higher security requirements.
Digital certificate:
5. Interface signature: sign
It can be solved in the tool or in the code.
Why do we have tools postman and jmeter, so why do we do code-level interface automation?
(1) Agile development: the huge interface is not easy to do version control and team collaboration
(2) The tool is too dead, we need to customize some functions
(3) There are interfaces of multiple protocols in a project
(4) Positioning problem
(5) tools, there is no way to generate beautiful reports. allure
(6) For complex interfaces, multi-interface protocols, databases
(7) Log monitoring
(8) Interface automation web automation
In Depth: Interface Automation
(1) All requests must be managed uniformly
(2) After encapsulating the interface automation testing framework, functional testing only needs to write test cases, no code is required
1. What is an interface signature?
Use the combination of user name, password, timestamp and all sorted parameters, and then encrypt the resulting string. The string is the only authentication code for puppies to access the third-party financial interface. =sign Interface signature.
2. Why do you need to do interface signature?
1. Anti-masquerading attack 2. Anti-tampering attack 3. Anti-replay attack 4. Anti-data leakage
3. How to sign the interface and understand the signature rules
1. Arrange all requested parameters in ascending order by ASCII code by key
{"c": "3", "b": "2", "a": "1"} ➡️ {"a": "1", "b": "2", "c": "3"}
2. Connect the parameter name and parameter value into a string
a=1&b=2&c=3
3. Use the applied appid and appsecret to connect to the head of the string
appid: username appsecret: password
appid=admin&appsercet=123&a=1&b=2&c=3
4. Use the timestamp to link to the end of the string
appid=admin&appsercet=123&a=1&b=2&c=3×tamp=786276574
5. Then put the string according to 32-bit MD5 encryption, encrypted and then converted into uppercase.
sign=***
valid for 10 seconds
Finally: In order to give back to the die-hard fans, I have compiled a complete software testing video learning tutorial for you. If you need it, you can get it for free【保证100%免费】
Software Testing Interview Documentation
We must study to find a high-paying job. The following interview questions are the latest interview materials from first-tier Internet companies such as Ali, Tencent, and Byte, and some Byte bosses have given authoritative answers. Finish this set The interview materials believe that everyone can find a satisfactory job.
