jwt principle & Use
1.1 COOKIE use, advantages and disadvantages
Reference blog: https://baijiahao.baidu.com/s?id=1608021814182894637&wfr=spider&for=pc
1, cookie use principle
1. The user sends the user name and password to the server.
2. Verify that the server, the relevant data (such as user roles, logon time, etc.) will be saved in the current session.
3. The server returns session_id to the user, session information is written to the user's Cookie.
4. Each subsequent request to the server the user will be taken by session_id in the Cookie.
The server receives session_id and compare previously saved data, confirm the user's identity.
2, session disadvantage of using
1. This model biggest problem is not distributed architecture, we can not support horizontal expansion.
2. If you are using a server, this model is no problem.
3. However, if it is cross-domain or server cluster architecture, service-oriented, then the need for a unified session database repository to store session data sharing,
each server under such load balancing 4. can verify the correct user identity.
3, commonly used method for solving session
A solution through persistent session data into the database or file persistence layer.
2. After receiving the request, the service request data from the authentication persistence layer.
3. The system relies on a database or persistence of the problem, there will be a single point of risk, if the persistence layer fails, the entire certification system will hang.
1.2 JWT Introduction
1, jwt principle
JWT的原则是在服务器身份验证之后,将生成一个JSON对象并将其发送回用户
{
"UserName": "Chongchong",
"Role": "Admin",
"Expire": "2018-08-08 20:15:56"
}
之后,当用户与服务器通信时,客户在请求中发回JSON对象,服务器仅依赖于这个JSON对象来标识用户。
为了防止用户篡改数据,服务器将在生成对象时添加签名(有关详细信息,请参阅下文)。
服务器不保存任何会话数据,即服务器变为无状态,使其更容易扩展
2, JWT data structure
1) jwt head: head portion is a description JWT JSON object metadata JWT
2) Payload: seven custom default field private field +
3)签名=HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload),secret)
1) JWT head
# JWT头部分是一个描述JWT元数据的JSON对象,通常如下所示。
{
"alg": "HS256",
"typ": "JWT"
}
# 1)alg属性表示签名使用的算法,默认为HMAC SHA256(写为HS256);
# 2)typ属性表示令牌的类型,JWT令牌统一写为JWT。
# 3)最后,使用Base64 URL算法将上述JSON对象转换为字符串保存。
2) Payload
Payload
3) signature hash
# 1.签名哈希部分是对上面两部分数据签名,通过指定的算法生成哈希,以确保数据不会被篡改。
# 2.首先,需要指定一个密码(secret),该密码仅仅为保存在服务器中,并且不能向用户公开。
# 3.然后,使用标头中指定的签名算法(默认情况下为HMAC SHA256)根据以下公式生成签名。
# 4.HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload),secret)
# 5.在计算出签名哈希后,JWT头,有效载荷和签名哈希的三个部分组合成一个字符串,每个部分用"."分隔,就构成整个JWT对象。3, jwt core
1) token issued by the user corresponds to the value of a lock, the server-side secret key corresponding to a key
2) Each time a client requests are carried in the lock, the server-side with the secret key to open the lock, Ruoguo can not open it proved to be forged
4, jwt features analysis
1, JWT default not encrypted, but encryption, to generate the original token can be used to change the token encrypts them again.
2, when the encryption method is not JWT that some secret data can not be transmitted through JWT.
. 3, JWT not only for authentication, but also for the exchange of information, use of JWT helps reduce the number of server requests the database.
4, JWT biggest drawback is that the server does not save session state, it is not possible to cancel during use tokens or change the permissions of the token, once the issue of JWT, will remain in effect in the period.
5, JWT itself contains authentication information, so once information leaks, anyone can get a token of all rights.
6, in order to reduce fraud and theft, the JWT does not recommend using the HTTP protocol to transmit the code, but the use of encrypted transmission protocol HTTPS.