Previous article https://www.cnblogs.com/lihaoyang/p/11967121.html said filter HttpBasic achieve certification in advance at the request usernames and passwords, there is a problem, you can not let each user enter the user name and password requests it, even if the front-end user name and password to save up, which is unsafe.
A, Schematic of Token-based authentication
Based achieve Cookie-Session
There are many ways to achieve this way, in javaweb development, the most common implementation is based on Cookie-Session achieve, based on the nature login session is also based token login:
Login achieve Cookie-Session-based, successful login to the Session in a user information:
Browser will save it in a cookie:
Based on this cookie-session of login:
Pros: that is, to make up for the shortcomings of HttpBasic, easy to use
Disadvantages: only applies to the browser, the browser to set Cookie Response Header received in the jessionId, not servers App, a third party, because they do not recognize Cookie
Cluster environment, the need for shared processing Session
Custom Token achieve
Session fixation attack protection:
++++++++++++++++++++++++++ third chapter summarizes ++++++++++++++++++++ +++++++++