Get rid of the service status! From Session to Token

Speaking before the Token, briefly talk about what is Session and Cookie.

You must first know that HTTP requests are stateless;

Stateless means: every time a request is independent; each request will not be affected by the foregoing request, it will not affect subsequent requests;

After such a system, when we log, verify the user name and password, open each page when the system do not need to log in operation until we take the initiative to withdraw or login timeout Log; in order to allow the server has "memory", we can use Session, Cookie.

01 Cookie

It is stored in the client (browser) a mechanism for the user information; Cookie generated by the server, sent to the browser, and the browser Cookie stored in the form of key-value pairs in a directory below the client; each browser storage size there will be some differences, usually no more than 4KB;

The next time, when requested, Cookie will be sent to the server, the server parses the information in the Cookie and verify identity.

For instance, your entry a company that will give you to do a work card information as your name, job number, department, etc. above, when you enter the job market, holding a card can work out.

Cookie is a cross-domain but not used; if I took the job card of our company, to your company, security certainly is not going to let me go.

02 Session

Stored on the server, it can be used to record customer status;

For example, we often use Session save the basic information, customer information and other rights; after the first user logs on, the server will create a Session, SessionID and return to the browser, the browser will usually write it to Cookie, which Cookie species also known as SessionCookie, when browser visit again, only to find the need to hold SessionID Session on it from the server.

In addition, this SessionID does not have to be saved to the Cookie, only for browser clients, our practice is to default on the Cookie.

03 Cookie 和 Session

About the difference between Cookie and Session, many students will answer: "Cookie stored in the client, Session stored in the server-side", in fact, this idea is not comprehensive:

Cookie is a thing actually present, a very specific thing that is a piece of data, and the Session is an abstract concept, called the mode or method, it has many implementations;

Such as Tomcat implemented method: the state stored in the server, and then generates a JSESSIONID in the Cookie; after the request came, and query holding JSESSIONID verified on the server side.

04 Token

Of course, with the increase in volume of users, Session stored in the server are also increasing, which gives the server brought a lot of pressure, and if the program is distributed or cluster deployed for the first time with a user requests access a server to create a Session, but the second request was sent to the server B, but not before the Session and B created by the server; this is the Session sharing distributed architecture.

To address this issue, we can Session synchronization between the server, or simply to save Session to third-party components, such as saving to Redis in; but no matter what kind of program, let Session becomes a burden of the project.

At this time, the server will think, how good if Session is not saved me, and for the first time to send me username and password, after verification by I'll give you a pass, when the client after each request took this pass;

The pass is the token, of course, the results need to include verification information the client, the server requests need to know who sent me; also need to include time information, can not always pass as valid; is not expressly permit, otherwise there will be the risk of being intercepted.

HMAC-SHA1：

token = user_id|expiry_date|HMAC(user_id|expiry_date, k)

AES：

token = AES(user_id|expiry_date, x)

RSA:

token = RSA(user_id|expiry_date, private key)

05 SSO single sign-on

有些公司会建设统一登录系统（单点登录），客户端先去这个系统获取 Token ，验证通过再拿着这些Token去访问其他系统；API Gateway 也可以提供类似的功能，我们公司就是这样，客户端接入的时候，先向网关获取 Token，验证通过了才能访问被授权的接口，并且一段时间后要重新或者 Token。