This post was originally posted on my blog
preface
Stateless HTTP protocol
Once upon a time, the Web was all about browsing documents. Since it is browsing, as a server, there is no need to record what documents have been browsed during a certain period of time. Each request is a new HTTP protocol, which is request plus response. Instead of keeping track of who just made an HTTP request, each request is brand new.
How to manage sessions
With the rise of interactive Web applications, such as online shopping sites, sites that need to be logged in, one of the immediate problems is managing calls, remembering who logged in and who put items in their shopping carts, which means I have to separate everyone.
This article mainly explains how cookie, session and token manage session.
cookie
A cookie is a very specific thing, a piece of data that can be stored permanently in a browser. It has nothing to do with the server, just a data storage function implemented by the browser.
The cookie is generated by the server and sent to the browser, which stores the cookie in the form of KV in a text file under a directory. The cookie will be sent to the server when the same website is requested next time. Since cookies are stored on the client, browsers put in some restrictions to ensure that cookies can’t be used maliciously and don’t take up too much disk space. So there is a limit to the number of cookies per field.
How to set up
Client Setup
document.cookie = "name=xiaoming; age=12 "
Copy the code
- Clients can set the following cookie options: Expires, Domain, Path, and Secure (Secure cookies only take effect in HTTPS web pages), but they cannot set the httpOnly option
Set cookie => The cookie is automatically added to the request header => The server receives the cookie
Server Settings
Whether you request a resource file (such as HTML/JS/CSS/image) or send an Ajax request, the server returns a response. In response header, there is an item called set-cookie, which is specially used by the server to set cookies.
- A set-cookie can set only one cookie. If you want to set more than one cookie, you need to add the same number
set-cookie
- The server can set all of the cookie options: Expires, Domain, PATH, Secure, and HttpOnly
Cookie, SessionStorage, LocalStorage
HTML5 provides two types of localStorage: sessionStorage and localStorage;
session
What is a session
A session is literally a session. It’s kind of like when you’re talking to someone, how do you know you’re talking to Joe and not Joe? The other person must have certain characteristics (looks, etc.) that indicate he is Zhang SAN; The same goes for sessions, where the server knows who the current request is to. To do this, the server assigns a different “id” to each client, and then each time the client sends a request to the server, it carries this “ID” so that the server knows who the request is coming from. There are a lot of different ways for clients to store this “identity”. For browser clients, they use cookies.
Procedure (server session + client sessionId)
- 1. The user sends the user name and password to the server
- 2. After passing the authentication, the server saves relevant data in the current session, such as user role, login time, etc.;
- 3. The server returns a packet to the user
session_id
, written to the usercookie
- 4. Each subsequent request from the user is passed
cookie
That will besession_id
Back to server - 5. The server receives the message
session_id
, find the data saved in the early stage, thus know the identity of the user
Existing problems
Poor scalability
If it is a cluster of servers or a cross-domain service-oriented architecture, this requires session data to be shared and each server can read sessions.
For example, website A and website B are affiliated services of the same company. Now the requirement, as long as the user login in one of the websites, then visit another website will automatically login, how to achieve? The question is how to implement single sign-on
- Nginx IP_hash policy. The server uses the Nginx proxy, and each request is allocated according to the hash of the access IP address. In this way, the requests from the same IP address can access the same background server, avoiding the problem that A Session is created on server A and sent to server B for the second time.
- Session replication: When a Session changes on any server, the node serializes all the contents of that Session and broadcasts them to all other nodes.
- Shared Session: The Session Id is centrally stored in a place where all machines can access the data. The advantage of this scheme is the clear structure, but the disadvantage is the large amount of engineering. In addition, the persistence layer in case of failure, a single point of failure;
Alternatively, the server does not store session data at all, and all data is stored on the client side, sending each request back to the server. This scheme is the token-based authentication that will be introduced next;
Token
process
- A user sends requests using a user name and password
- Program verification
- The program returns a signed token to the client
- The client stores tokens and sends requests each time
- The server validates the Token and returns data
The technique of this approach has been implemented for a long time, and there is a standard available, which is JWT;
JWT(JSON Web Token)
The data structure
The actual JWT would look something like this:
JSON Web Tokens by dot (.) The three parts of the partition are:
- Header
- Payload
- Signature (= Signature)
Therefore, JWT is usually presented as follows:
xxxxx.yyyyy.zzzz
Header
Header is a JSON object
{
"alg": "HS256".// Indicates the signature algorithm, the default is HMAC SHA256 (HS256)
"typ": "JWT" // Indicates the type of the Token. JWT Token is written as JWT
}
Copy the code
Payload
The Payload part is also a JSON object that stores the data that needs to be transmitted
{
// 7 official fields
"iss": "a.com".// Issuer: indicates the issuer
"exp": "1d".// Expiration time: expiration time
"sub": "test"./ / the subject: theme
"aud": "xxx".// Audience
"nbf": "xxx".// Not Before: effective time
"iat": "xxx".// Issued At: time of issuance
"jti": "1111".// JWT ID: ID
// Private fields can be defined
"name": "John Doe"."admin": true
}
Copy the code
JWT is unencrypted by default and anyone can read it, so don’t put secret information in this section.
Signature (= Signature)
Signature is a Signature to the first two parts, preventing data from being tampered with.
First, you need to specify a secret. This key is known only to the server and cannot be disclosed to users. Then, using the signature algorithm specified in the Header (HMAC SHA256 by default), generate the signature as follows.
HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
Copy the code
After calculating the Signature, add the Header, Payload, and Signature parts into a string, and use dots (.) between each part. Delimit, and it can be returned to the user.
JWT = Base64(Header) + "." + Base64(Payload) + "." + $Signature
Copy the code
How to ensure safety?
- Send JWT using HTTPS; Do not write secret data to JWT when sending without HTTPS
- Expire time must be set in the payload of the JWT
use
The client receives the JWT returned by the server, which can be stored in cookies or localStorage. Thereafter, the client takes this JWT with it every time it communicates with the server. You can put it in a Cookie and send it automatically, but that’s not cross-domain, so it’s better to put it in the HTTP request header Authorization field.
Authorization: Bearer <token>
Copy the code
Alternatively, the JWT is placed in the data body of the POST request when it is cross-domain.
The role of JWT
JWT was originally intended to achieve authorization and identity authentication, which can achieve stateless and distributed Authorization of Web applications. The general implementation process is as follows
- The client needs to bring the user name/password and other identifiable content to the authorization server to obtain JWT information;
- Each service carries the Token content and interacts with the Web server. The service server verifies whether the Token is a valid Token issued by authorization and whether the current service request is valid.
Note that you do not need to apply for a Token every time. If you do not need to apply for a Token every time, you are not advised to apply for a Token every time because it will increase service time. Apply only when you log in, and then use the expiration date of the JWT or other means to ensure that the JWT is valid;
Acesss Token, Refresh Token
The biggest advantage of JWT is that servers do not need to store sessions, which facilitates the expansion of server authentication and authentication services. This is also the biggest disadvantage of JWT because the server does not need to store Session state, so it cannot discard a Token or change the permission of the Token during use. This means that once a JWT is issued, it will remain valid until it expires. We can make some improvements based on the problems mentioned above.
The preceding tokens are all Acesss tokens, which are required to access resource interfaces. There is also another type of Token, Refresh Token. Generally, the Refresh Token has a long validity period. However, the Access Token has a short validity period. When the Acesss Token becomes invalid, the user can obtain a new Token by using the Refresh Token. If the Refresh Token also becomes invalid, the user can only log in again. The Refresh Token and expiration time are stored in the server database and verified only when a new Acesss Token is applied for. It does not affect the service interface response time and does not need to be kept in memory to handle a large number of requests like the Session.
A simple JWT usage example
To prepare
npm i --save koa koa-route koa-bodyparser @koa/cors jwt-simple
Copy the code
Server code
const Koa = require("koa");
const app = new Koa();
const route = require('koa-route');
var bodyParser = require('koa-bodyparser');
const jwt = require('jwt-simple');
const cors = require('@koa/cors');
const secret = 'your_secret_string'; // The SECRET string used for encryption, which can be changed arbitrarily
app.use(bodyParser()); // Process the parameters of the POST request
const login = ctx= > {
const req = ctx.request.body;
const userName = req.userName;
const expires = Date.now() + 1000 * 60; // To facilitate testing, set the timeout to one minute later
const payload = {
iss: userName,
exp: expires
};
const Token = jwt.encode(payload, secret);
ctx.response.body = {
data: Token,
msg: 'Successful landing'
};
}
const getUserName = ctx= > {
const token = ctx.get('authorization').split("") [1];
const payload = jwt.decode(token, secret);
// Each request checks whether the Token expires and does not update the Token expiration time. (The validity period depends on actual application scenarios.)
if(Date.now() > payload.exp) {
ctx.response.body = {
errorMsg: 'Token has expired, please log in again '
};
} else {
ctx.response.body = {
data: {
username: payload.iss,
},
msg: 'User name obtained successfully'.errorMsg: ' '
};
}
}
app.use(cors());
app.use(route.post('/login', login));
app.use(route.get('/getUsername', getUserName));
app.listen(3200, () = > {console.log('Started successfully');
});
Copy the code
Client code
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="Width = device - width, initial - scale = 1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>JWT-demo</title>
<style>
.login-wrap {
height: 100px;
width: 200px;
border: 1px solid #ccc;
padding: 20px;
margin-bottom: 20px;
}
</style>
</head>
<body>
<div class="login-wrap">
<input type="text" placeholder="Username" class="userName">
<br>
<input type="password" placeholder="Password" class="password">
<br>
<br>
<button class="btn">landing</button>
</div>
<button class="btn1">Obtaining a user name</button>
<p class="username"></p>
</body>
<script>
var btn = document.querySelector('.btn');
btn.onclick = function () {
var userName = document.querySelector('.userName').value;
var password = document.querySelector('.password').value;
fetch('http://localhost:3200/login', {
method: 'POST'.body: `userName=${userName}&password=${password}`.headers: {'Content-Type': 'application/x-www-form-urlencoded'
},
mode: 'cors' // no-cors, cors, *same-origin
})
.then(function (response) {
return response.json();
})
.then(function (res) {
// Obtain the Token and put the Token in localStorage
document.cookie = `token=${res.data}`;
localStorage.setItem('token', res.data);
localStorage.setItem('token_exp'.new Date().getTime());
alert(res.msg);
})
.catch(err= > {
message.error('Local test error${err.message}`);
console.error('Local test error', err);
});
}
var btn1 = document.querySelector('.btn1');
btn1.onclick = function () {
var username = document.querySelector('.username');
const token = localStorage.getItem('token');
fetch('http://localhost:3200/getUsername', {
headers: {'Authorization': 'Bearer ' + token
},
mode: 'cors' // no-cors, cors, *same-origin
})
.then(function (response) {
return response.json();
})
.then(function (res) {
console.log('Return user information result', res);
if(res.errorMsg ! = =' ') {
alert(res.errorMsg);
username.innerHTML = ' ';
} else {
username.innerHTML = ` name:${res.data.username}`;
}
})
.catch(err= > {
console.error(err);
});
}
</script>
</html>
Copy the code
Run the code
The above is just a particularly simple example, for Token expiration only do simple processing, many boundary conditions did not do processing, such as exception processing;
The difference between
The difference between cookies and sessions
- Different storage locations: Cookie data is stored in the client’s browser, while session data is stored on the server
- The privacy policies are different: Cookies are not very secure. Others can analyze cookies stored locally and cheat cookies. For security, session should be used
- Sessions are stored on the server for a certain amount of time. When you increase the number of accesses, it takes a lot of performance out of your server, so you should use cookies to alleviate server performance
- Storage sizes vary: a single cookie can hold no more than 4K of data, and many browsers limit each site to 20 cookies
General advice: Save important information, such as login information, as session, and other information in cookies
The difference between Token and Session
Session is an HTTP storage mechanism that provides a persistence mechanism for stateless HTTP. Token is a Token, for example, when you authorize (log in) a program, it is a basis to determine whether you have authorized the software.
Session and Token are not contradictory. As an authentication Token, Session security is better than Session security, because each request has a signature and can prevent listening and replay attacks, while Session must rely on the link layer to ensure communication security. As mentioned above, if you need to implement stateful callback, you can still add a Session to store some state on the server.
conclusion
Cookie, session, and Token are not absolutely good or bad, as long as the actual business scenarios and requirements should be combined to decide which method to use to manage the call, of course, you can also use all three.
reference
- jwt
- Thoroughly understand cookies, sessions, and tokens
- JSON Web Token Tutorial
- Cookie, Session and Token (original)
- Three ways to manage Web sessions
- Do you really understand cookies and sessions
- Do not replace Session management with JWT (part 1) : Understand tokens,JWT,OAuth,SAML,SSO thoroughly
- Principle and implementation of access_token and refresh_token