session和cookie
Speaking before the Token, briefly talk about what's session and cookie.
-
We must first know that HTTP requests are stateless, also just do not know when this time of the request and the last request whether a relationship, such as a log in our system, and then verify that the user name and password, open each page when the system do not need to login operation, until we take the initiative to withdraw or login timeout Log out; here in order to avoid access to each log in a bit, we should use session, cookie.
-
A cookie is a mechanism for saving user information on the client (browser); and each browser stores there will be some differences in size, usually no more than 4KB;
-
session is saved at the server can be used to record customer status, such as we often use the basic information session to save customer's permission information; after the first time the user logs on, the server will create a session, when the browser visits again, just look up the session from the client's information on it.
Normally, Session and Cookie are used together with.
What is the Token
But there will be a problem, the server you want to save all user session information, the cost would be great if, in a distributed architecture, you need to consider the session sharing problem and needs to do additional design and development, for example in the session Redis to save the information in a shared; it is for this reason, some people consider this information allows clients to save, you can save anywhere, and ensure their safety, so there Token.
Token is generated series of strings, the server can be seen as the client requesting a token.
-
When a client first visit to the server, the server will be based on a unique identification pass over the userId, use some encryption algorithm to generate a Token, the next client request, only need to bring Token, server receives the request, verify the Token.
-
Some companies will build a unified login system (single sign-on), go to the client system obtains Token, and then took them to verify Token to access other systems; API Gateway can also provide similar functionality, our company is one such client access time, get to the gateway Token, verified by the authorized to access the interface, and after a period of time or to re-Token.
Token mechanism under the certification process
The whole process is like this:
-
The client uses the user name, password authentication is done;
-
The server authenticates after receipt of the request; (may also be a unified sign-on platform, gateway)
-
After successful authentication, the server will issue a Token returned to the client;
-
After the client receives Token stored in the client (saved in Cookie, LocalStorage, SessionStorage in); each time sending a request to the server, to be with Token, the Token header into the Headers in a request;
-
Token expiration time will need to re-verify expires;
-
Server receives the Token request header, the parameters of the user in accordance with established rules once again signed, the two signature agreed that if successful, otherwise tampered data request failed.
(Example of FIG generating a signature)
(Example of FIG verify the signature)
to sum up
-
cookie: save the species in the browser, there is a size limit, there is a state;
-
session: stored in the server, the server has resource overhead, distributed, cross-system not achieve;
-
Token: Token The client can save anywhere, unlimited, non-state, which will help distributed deployment.