Login session mechanism
HTTP is a stateless protocol, and each browser request is independent of each other. But not every HTTP request is stateless, and for that, the browser and the server need to maintain a state together, called the session mechanism.
sessionID
- Realize the principle of
When the browser sends a request to the server for the first time, the server returns the sessionID to the browser. Each subsequent request from the browser carries the sessionID to authenticate the same user.
- The server uses session to store user information, and the browser obtains data in the corresponding session through the sessionID.
- Sessions are typically stored in server memory or as files (one file for each application).
- disadvantages
token
Another method is that the server issues tokens for user authentication and App authorization.
- Token is a string generated by the server as a token for the client to request. When the client logs in for the first time, the server generates a token and returns the token to the client. In the future, the client only needs to bring the token to request data without bringing the user name and password again.
JWT – JSON Web Token
Single Sign-on (SSO)
Reference links:
www.cnblogs.com/lyzg/p/6067… zhuanlan.zhihu.com/p/354205290
What is the sso
After one login, you can access other trusted platforms without logging in
CAS Central Authentication service
- An independent open instruction protocol
- CAS is an open source project initiated by Yale University, which aims to provide a reliable single sign-on method for Web application systems.
JWT
How to implement SSO
Share a cookie
- In the system based on cookie-session mechanism, the login system will return a sessionId and store it in the cookie. If we can make another system also get this cookie, we will get the credential information and there is no need to log in again.
- Cookie allows cookies to be shared between different ports of the same domain name (or parent domain name), unlike HTTP’s same-origin policy (HTTP requests are considered cross-domain as long as the protocol, domain name, and port are not identical). Therefore, you only need to deploy multiple application foreground pages to the same domain name (or parent and child domain name), and then share the session to achieve single sign-on.
- There are multiple servers on the back end, and session sharing can be realized by using the same Redis or the same database.
Implementation based on callbacks
- Based on token implementation of JWT, JWT can carry information that cannot be tampered with (once tampered, verification will fail), so we can directly put user ID and other non-sensitive information into JWT, eliminating the session in the background. The JWT is then shared across platform pages.
Third-party login and authorized login
The process is briefly
- Website A first registers on QQ, explains its identity, and then gets two identification codes: client ID (AppID) and client key (AppSecret). At the same time, website A also needs to provide A callback URL.
- The user enters website A, selects QQ joint login, and enters the login page designated by QQ.
- After the user successfully logs in to QQ and is easily authorized, QQ calls the callback function provided by website A and returns A code.
- Website A obtains access_token by calling the designated QQ interface through AppID, AppSecret and code.
- Website A stores the Access_token
- Website A calls the designated QQ interface through access_token to obtain the user’s personal information stored in QQ.
The 2.0
OAuth 2.0 is currently the most popular authorization mechanism used to authorize third-party applications and obtain user data.
Wechat scan login
The official document: developers.weixin.qq.com/doc/oplatfo…
Qr code
Store data, forage QR code, can be downloaded from wechat
The process is briefly
- Wechat server
- A server
- The personal information of current users is stored on the wechat server
- The current user logs in to website A using the information stored in wechat
- A website needs to go to wechat (wechat development platform) to apply for the qualification and obtain the account and password
- Generate qr code
- “Wechat Login access Address” generates a TWO-DIMENSIONAL code, followed by the callback method
- Users scan a QR code on wechat
- The confirm login button is displayed on wechat
- User login confirmation
- The wechat server calls back the callback method provided by website A with the parameter code
- The callback method executes, getting the parameter code
- Get the interface call credentials by account and password
- Call wechat to get user’s personal information interface
- If A website has obtained user information, it will release and judge that the login is successful
- A website has A polling request to check whether the user can scan and log in successfully
Graphic description of process
Premise: Website A has login in wechat, APPId, AppSecret and callback URL
-
Click the wechat login page of [website A] to log in
-
The page of wechat code scanning is displayed
- The specific URL is as follows
Open.weixin.qq.com/connect/qrc…
-
The page to the server sends for the request of the qr code open.weixin.qq.com/connect/qrc…
-
After receiving the request, the server randomly generates a UUID and stores the ID as the key value in the Redis server. At the same time, an expiration time is set. After the expiration, the user needs to refresh the QR code to obtain it again.
-
The server combines the UUID and the verification string of wechat to generate a TWO-DIMENSIONAL code picture, and then returns the two-dimensional code picture and the UUID to the user’s browser. Syria on the qr code decoded string is (open.weixin.qq.com/connect/con…
-
Once the browser gets the QR code and UUID, it sends a request to the browser every second to check whether the login was successful. The request carries a UUID as an identifier for the current page. Lp.open.weixin.qq.com/connect/l/q…
-
When the browser gets the QR code, it displays it on the web page
-
Users take out their mobile phone wechat to scan the TWO-DIMENSIONAL code, and they can get a corresponding two-dimensional code information. The mobile phone has been logged in to. When accessing the server on the mobile phone, the parameter carries the user’s token. The mobile terminal will parse the data together with the user token as parameters to send authentication login request to the server.
-
After receiving the request, the mobile server compares the authentication message in the parameters to confirm whether the request interface is the user login interface. If so, an acknowledgement message is returned to the mobile phone.
-
After receiving the message, the mobile phone will display the login confirmation box to the user (to prevent the user from misoperation and make the login more humanized).
-
After the user confirms the login operation, the mobile phone sends a request again. The server takes the UUID and token, parses the token to the userId, and stores the user’s userId as a value in the redis key-value pair with the UUID as the key.
-
When the browser requests again, the browser server obtains the userId of a user, encrypts the userId to obtain the token, and returns the token to the browser. The login succeeds.
-
After the wechat login is successful, call the callback function provided by website A and pass it to A code of website A
-
Website A obtains access_token, OpenID and other information through the specified interface requested by AppId, AppSecret and code in the premise
-
Website A obtains user information through an access_token request to A specified interface