1.1 COOKIE use, advantages and disadvantages
Reference blog: https://baijiahao.baidu.com/s?id=1608021814182894637&wfr=spider&for=pc
1, cookie use principle
1. The user sends the user name and password to the server.
2. Verify that the server, the relevant data (such as user roles, logon time, etc.) will be saved in the current session.
3. The server returns session_id to the user, session information is written to the user's Cookie.
4. Each subsequent request to the server the user will be taken by session_id in the Cookie.
The server receives session_id and compare previously saved data, confirm the user's identity.
2, session disadvantage of using
1. This model biggest problem is not distributed architecture, we can not support horizontal expansion.
2. If you are using a server, this model is no problem.
3. However, if it is cross-domain or server cluster architecture, service-oriented, then the need for a unified session database repository to store session data sharing,
each server under such load balancing 4. can verify the correct user identity.
3, commonly used method for solving session
A solution through persistent session data into the database or file persistence layer.
2. After receiving the request, the service request data from the authentication persistence layer.
3. The system relies on a database or persistence of the problem, there will be a single point of risk, if the persistence layer fails, the entire certification system will hang.
1.2 JWT Introduction
1, jwt principle
JWT is in principle after server authentication, it will generate a JSON object and send it back to the user { "UserName": "Chongchong", "Role": "Admin", "Expire": "2018-08-08 20:15:56" } Thereafter, when the user communications with the server, the client in the request back JSON object, this depends only on the server to identify the user JSON object. To prevent users from tampering with the data, a signature server (for details, see below) was added to generate objects.
The server does not save any session data, i.e., it becomes stateless server, making it easier to expand
2, JWT data structure
1) jwt head: head portion is a description JWT JSON object metadata JWT
2) Payload: seven custom default field private field +
3)签名=HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload),secret)
1) JWT head
# JWT head portion is a descriptive metadata JWT JSON object, shown generally as follows. { " ALG " : " HS256 " , " typ " : " the JWT " } # 1) ALG property indicates the signature algorithm used by default for the HMAC SHA256 (written as HS256); # 2) typ property represents the type of token, JWT token unified written as JWT. # 3) Finally, use Base64 URL algorithm converts the JSON object to a string save.
2) Payload
# 1, a payload portion, the main body portion JWT content, is also a JSON object contains data to be transmitted. JWT seven specified default field to choose from. '' ' iss: Issuer exp: expiration time sub: Theme aud: User nbf: Previously unavailable iat: Published jti: JWT ID for identifying the JWT ''' # 2, in addition to the above default field, we can also customize the private fields, for example as follows: { " Sub " : " 1234567890 " , " name " : " chongchong " , " ADMIN " : to true } # 3, note that by default, JWT is unencrypted, anyone can interpret its contents, so do not build privacy information fields to store confidential information in order to prevent information leakage. JSON objects also use Base64 URL algorithm into a string save.
3) signature hash
# 1 signature hash signature data is part of the two parts above, generated by specifying the hash algorithm to ensure that data can not be tampered with.
# 2. First, you need to specify a password (secret), only the password is stored in the server, and can not be disclosed to the user.
# 3. Then, the signature algorithm specified in the header (the default is HMAC SHA256) generating a signature in accordance with the following equation.
# 4. HMACSHA256 (base64UrlEncode (header) + "." + Base64UrlEncode (payload), Secret)
# 5. The signed hash is calculated after, the JWT header, payload and three parts are combined into a signed hash string , each part with "." separated, JWT constitute the entire object.
3, jwt core
1) token issued by the user corresponds to the value of a lock, the server-side secret key corresponding to a key
2) Each time a client requests are carried in the lock, the server-side with the secret key to open the lock, Ruoguo can not open it proved to be forged
4, jwt features analysis
1, JWT default not encrypted, but encryption, to generate the original token can be used to change the token encrypts them again.
2, when the encryption method is not JWT that some secret data can not be transmitted through JWT.
. 3, JWT not only for authentication, but also for the exchange of information, use of JWT helps reduce the number of server requests the database.
4, the biggest drawback is that the server does not save JWT session state, it is not possible to cancel during use tokens or change the permissions of the token , once the issue of JWT, will remain in effect in the period.
5, JWT itself contains authentication information, so once information leaks, anyone can get a token of all rights.
6, in order to reduce fraud and theft, the JWT does not recommend using the HTTP protocol to transmit the code, but the use of encrypted transmission protocol HTTPS.
111111111111111111111