Since HTTP is a stateless service, in order to satisfy some stateful services, the following occurs. Cookies and sessions are stateful services.

cookie

Cookie information is stored in the client, that is, in some local files, but the nature of cookie may lead to security risks. An important property of cookies is that they cannot be executed across domains.

session

Session is also the mechanism for recording sessions between C and B. The session is implemented based on cookies, but the session is stored on the server, and the session ID is stored in the cookie on the client.

  1. The user requests the server, and the server creates a session based on the user’s submission information.
  2. Returns the unique sessionid to the client
  3. After receiving the sessionID, store it in the cookie and record the domain name
  4. Search for the cookie information under the domain name and send it to the server, but not invalid.

token

A token is a stateless token. Token composition: uid+timestamp+sign !!!! Compared with session, there is no need to store information in memory or disk, but only need to perform decryption and encryption algorithm to know user information. Therefore, in some scenarios where user status is not required, token has the characteristics of high security, cross-domain and stateless.

Refresh token and Access token

The access token exists for a short period of time. If the password is entered frequently, the user experience will be poor. Therefore, when the Access Token is set to refresh, it will send the refresh token once the Access token expires. New Access tokens are allocated. If it expires, you still need to log in again.

JWt(JSON WEB TOKEN)

The existence of JWT simplifies cross-domain problems. If I want to have a network of two departments in a company, I am logged in to one and the other is available. If session is used, the shared session needs to be written into the database for persistence. This problem is too much work and the persistence layer may fail.

JWT is a stateless expression.

{
   name:liuyi
   like:game
   expire:2020-8-10 20:10:00 
}
Copy the code

It looks something like this when it’s encrypted.

Header. paypay. Signature Consists of three parts. Separated.

header

Header is a JSON object that describes the signature algorithm and token type.

{
    "alg":"HS256",
    "typ":"JWT"
}
Copy the code

alg(algorithm),typ(type)

playload

Officially, there are seven fields. Iss (Issuer) : exp (expiration time) : expiration time sub (subject) : aud (audience) : NBF (Not Before) : iAT (Issued At) : Issue time JTI (JWT ID) : The number can be customized.

{
    "sub":"no"
    "name":"liuyi"
}
Copy the code

Note that JWT is unencrypted by default and anyone can read it, so don’t put secret information in this section.

The JSON object is also converted to a string using the Base64URL algorithm.

Signature

Encrypting the first two parts to prevent data tampering requires a secret key. Use the signature algorithm in the header for encryption.


HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)
Copy the code

And then we use these three parts. Separate the return to the user.

Total Copy for Mark

(1) JWT is not encrypted by default, but it can be encrypted. Once the original Token is generated, it can be encrypted again with the key.

(2) If JWT is not encrypted, secret data cannot be written to JWT.

(3) JWT can be used not only for authentication, but also for information exchange. Using JWT effectively can reduce the number of times the server queries the database.

(4) The biggest disadvantage of JWT is that the server does not store the session state, so it cannot revoke a token or change the permission of the token during use. That is, once a JWT is issued, it remains valid until expiration, unless the server deploys additional logic.

(5) JWT itself contains authentication information, once disclosed, anyone can obtain all permissions to this token. To reduce theft, JWT expiration dates should be shorter. For some important permissions, the user should be authenticated again.

(6) In order to reduce embezzlement, JWT should not use HTTP protocol for explicit code transmission, but HTTPS protocol for transmission.