1, session authentication mechanisms:
1 , user login, passes the user name and password to the client 2 , the server verifies the user name and password, if the check is successful, will save the user to the session 3 , the sessionid returned to the customer service side by cookie, customer end will be saved sessionID 4 , call the Client access server again, you will carry the cookie: sessionID, the server can obtain information corresponding session, and then verify the user's identity
Existing session authentication problems:
1, session information is stored on the server side, if too many users, they take up too much server storage space
2, session cookie dependent on, if the cookie is intercepted, it may be generated csrf CSRF
3, in a distributed web applications, if the session is stored in the server's memory, will use the session sharing problem
2, jwt authentication mechanism
jwt token consists of:
String, the header (header), a load (payload) and signature (signatrue) composed of three parts, with which are separated (dot)
1, the head (header): storage is the token type of encryption and signature algorithms
{ 'Token type', 'signature encryption algorithm'} using the head base64 encrypted content is generated header
2, the load (payload): stores valid data token and the effective time
{"user_id": "用户id",
"Username": "Username"
"mobile": "15211111111"
...
"Exp": "token valid time"}
SUMMARY base64 encrypted content payload, payload is generated
3, the signature (signature): role: to prevent jwt token is forged
-
payload load will not hold too sensitive data
-
The server needs to keep signature encryption key
-
You can use secure network protocols: https
jwt expand the use of:
Function: jwt token generation and verification jwt token