preface
Authentication and authorization, in fact, in a nutshell: authentication is to let the server know who you are, authorization is to let the server know what you can and can not do, authentication and authorization two ways: session-cookie and JWT, we will focus on these two schemes.
Session
The working principle of
After the client requests the server with the user name and password and passes identity authentication, the server generates session data related to identity authentication and stores it in the memory or memory database. Returns the corresponding sesssion_ID to the client, and the client saves the session_ID (which can be encrypted under the signature to prevent tampering) in the cookie. After that, all requests from the client will have the session_ID attached (after all, cookies will be passed to the server by default) to determine whether the server has the corresponding session data and check the login status and what permissions it has. If it passes the verification, it will do what it does, otherwise it will log in again.
Clear cookies if the front end exits. The back end forces the front end to recertify or modify the session.
advantage
The biggest advantage over JWT is that sessions can be cleared proactively
The session is stored on the server, which is relatively secure
Combined with cookie, it is flexible and compatible
disadvantages
Cookie + session does not work well in cross-domain scenarios
In distributed deployment, multiple servers need to share the session mechanism. You can store sessions in the database or redis to implement this mechanism
Cookie-based mechanisms can easily be CSRF
Querying session information may involve database query operations
Session, cookie, sessionStorage, localStorage
Session: Mainly stored on the server, which is relatively secure
Cookie: the valid time can be set. The default value is invalid after the browser is closed. It is mainly stored in the client and is not very secure
SessionStorage: valid only in the current session and cleared after closing the page or browser
Localstorage: permanently saved unless cleared
JWT
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and independent way to securely transfer information between parties as JSON objects. This information can be verified and trusted because it is digitally signed.
JWT is basically made up of. The separation consists of three parts, which are the header, payload and signature. A simple JWT example would look like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiemhhbmdzYW4ifQ.ec7IVPU-ePtbdkb85IRnK4t4nUVvF2bBf8fGhJmEwSs
Copy the code
If you look closely, you’ll see that this is actually a string of three segments separated by dots. In JWT, the names of each segment are:
Header.Payload.Signature
Copy the code
Each segment in the string is JSON encoded by Base64URL, and the Payload segment may be encrypted.
Header
The Header of JWT usually contains two fields: TYP (Type) and ALG (algorithm).
-
Typ: Indicates the token type, which is JWT
-
Alg: indicates the hash algorithm used, for example, HMAC SHA256 or RSA
A simple example:
{
"alg": "HS256"."typ": "JWT"
}
Copy the code
We coded it as follows:
>>> base64.b64encode(json.dumps({"alg":"HS256"."typ":"JWT"}))
'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9'
Copy the code
Payload
The Payload in JWT is actually the part of the Payload that stores the information that we need to pass around. Normally, we store user ids, user names, things like that. It also contains metadata such as publisher, expiration date, and so on.
However, this part differs from the Header part in that it can be encrypted rather than simply BASE64 encoded directly. But I’m going to use the BASE64 encoding for the sake of explanation, and notice that the BASE64 encoding is a little bit different, it’s actually a Base64UrlEncoder, and the difference is that it ignores the padding (=), And then the ‘-‘ is replaced by the ‘_’.
For example, our Payload is:
{"user_id":"zhangsan"}
Copy the code
Then Base64 should be:
>>> base64.urlsafe_b64encode('{"user_id":"zhangsan"}')
'eyJ1c2VyX2lkIjoiemhhbmdzYW4ifQ=='
Copy the code
Then remove the = sign, and the end should be:
'eyJ1c2VyX2lkIjoiemhhbmdzYW4ifQ'
Copy the code
Signature
The Signature is used to ensure that the Token is not tampered with or damaged during transmission. The Signature algorithm is also simple. However, in addition to the Header and Payload, the Signature is encrypted. There is also a key field, and the complete algorithm is:
Signature = HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret)
Copy the code
Again, as an example from the previous example,
Base64UrlEncode (header) = eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9 base64UrlEncode (content =" eyJ1c2VyX2lkIjoiemhhbmdzYW4ifQCopy the code
Secret: “secret”, the final signature should be:
>>> import hmac
>>> import hashlib
>>> import base64
>>> dig = hmac.new('secret', >>> msg="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiemhhbmdzYW4ifQ",
digestmod=
>>> base64.b64encode(dig.digest())
'ec7IVPU-ePtbdkb85IRnK4t4nUVvF2bBf8fGhJmEwSs='
Copy the code
The above three parts are assembled to form our JWT token, so our
{'user_id': 'zhangsan'}
Copy the code
The token is:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiemhhbmdzYW4ifQ.ec7IVPU-ePtbdkb85IRnK4t4nUVvF2bBf8fGhJmEwSs
Copy the code
The working principle of
1. First, the front-end sends its user name and password to the back-end interface through a Web form. This process is typically an HTTP POST request. The recommended method is ssl-encrypted transmission (HTTPS protocol) to avoid sensitive information being sniffed.
2. After the user name and password are verified successfully, the backend uses other information such as the user ID as the JWT Payload, combines the information with the header, and signs a JWT. The resulting JWT is a string shaped like ll.zzz.xxx.
3. The back end returns the JWT string to the front end as the result of successful login. The front-end can save the returned results in localStorage or sessionStorage, and the front-end can delete the saved JWT when logging out.
4. The front-end puts the JWT into the Authorization bit in the HTTP Header at each request. (Resolve XSS and XSRF issues)
5. Check whether the backend exists. If so, verify the validity of JWT. For example, check whether the signature is correct. Check whether the Token expires. Check whether the recipient of the Token is itself (optional).
6. After the authentication succeeds, the backend performs other logical operations using the user information contained in the JWT and returns corresponding results.
JWTs vs. Sessions
scalability
As your application grows and the number of users increases, you must begin to scale horizontally or vertically. Session data is stored in server memory through files or databases. In a horizontal scaling scenario, you have to start replicating server data, and you have to create a single central session storage system that all application servers can access. Otherwise, you won’t be able to extend the application due to session storage flaws. Another way to solve this challenge is to use a sticky session. You can also store sessions on disk, making it easy for your application to scale in the cloud. These kinds of solutions don’t really work in modern large-scale applications. Establishing and maintaining such distributed systems involves deep technical knowledge and consequent higher financial costs. In this case, using JWT is seamless; Because token-based authentication is stateless, there is no need to store user information in the session. Our application can easily scale because we can use tokens to access resources from different servers without worrying about whether the user is actually logged in to a server. You can also save money because you don’t need a dedicated server to store sessions. Why is that? Because there’s no session!
Note: Sessions are great if you’re building a small application that doesn’t need to scale across multiple servers and doesn’t require RESTful apis. If you use a dedicated server running a tool like Redis to store sessions, then sessions will probably work perfectly for you too!
security
JWT signatures are designed to prevent tampering on the client side, but they can also be encrypted to ensure that the claims carried by the token are very secure. JWT is primarily stored directly in Web stores (local /session stores) or cookies. JavaScript can access Web storage on the same domain. This means that your JWT may be vulnerable to XSS (cross-site scripting) attacks. Malicious JavaScript is embedded on pages to read and destroy the content stored on the Web. In fact, many people argue that some very sensitive data should not be in Web storage because of XSS attacks. A very typical example is to make sure your JWT does not encode overly sensitive/trusted data, such as a user’s Social Security number.
Initially, I mentioned that JWT could be stored in cookies. In fact, JWT is stored as cookies in many cases, and cookies are vulnerable to CSRF (Cross-site Request forgery) attacks. One of the many ways to prevent CSRF attacks is to ensure that your cookies are accessible only by your domain. As a developer, whether using JWT or not, make sure the necessary CSRF protections are in place to avoid these attacks.
JWT and Session ids are now also exposed to unguarded replay attacks. It is entirely up to the developer to build the appropriate replay prevention technology for the system. One solution to this problem is to ensure that JWT has a short expiration time. It’s not a complete solution, though. However, other alternatives to this challenge are to publish JWT to a specific IP address and use browser fingerprints.
Note: Use HTTPS/SSL to ensure that your cookies and JWT are encrypted by default during client and server transfers. This helps avoid man-in-the-middle attacks!
RESTful API service
A common pattern for modern applications is to use JSON data from RESTful API queries. Most applications today have RESTful apis for other developers or applications to use. The data provided by the API has several obvious advantages, one of which is that it can be used by multiple applications. In this case, the traditional methods of using sessions and cookies do not work well for user authentication because they introduce state into the application.
One of the tenets of a RESTful API is that it should be stateless, meaning that when a request is made, it always returns a response with parameters, with no additional impact. The user’s authentication status undermines this principle by introducing this additional effect. Keeping the API stateless, with no additional impact, means easier maintenance and debugging.
Another challenge is that it is common for one server to provide the API and for real applications to invoke its schema from another server. To achieve this, we need to enable cross-domain resource sharing (CORS). Cookies can only be used in the domain from which they originate and are of little help to the different domain apis relative to the application. Using JWT for authentication in this case ensures that the RESTful API is stateless and you don’t have to worry about who is serving the API or the application.
performance
A critical analysis of this is necessary. When making a request from the client to the server, each HTTP request incurs significant overhead if a large amount of data is encoded within the JWT. However, in a SESSION, there is only a small amount of overhead because the SESSION ID is actually quite small. Look at this example:
JWT has 5 claims:
{
"sub": "1234567890"."name": "Prosper Otemuyiwa"."admin": true,
"role": "manager"."company": "Auth0"
}
Copy the code
When encoded, the JWT will be several times the size of the SESSION ID (identifier), thus adding more overhead per HTTP request than the SESSION ID. With sessions, each request needs to find and deserialize sessions on the server.
JWT trades space for time by keeping data on the client. Your application’s data model is an important factor because it reduces latency by preventing continuous calls and queries to the server database. It is important to be careful not to store too many claims in the JWT to avoid large, overinflated requests.
It is worth mentioning that the token may need to access the back-end database. Especially in the case of refreshing tokens. They may need to access the database on the authorization server for blacklist processing. Get more information about refreshing tokens and when to use them. Also, check out this article for more information about blacklists (auth0.com/blog/blackl…) .
The downstream service
Another common pattern of modern Web applications is that they often rely on downstream services. For example, a call to the primary application server might make a request to a downstream server before the original request is resolved. The problem here is that cookies can’t easily flow to downstream servers or tell those servers about the user’s authentication status. Since each server has its own cookie scheme, there is a lot of resistance and connecting to them is difficult. JSON Web Token does it again with ease!
effectiveness
In addition, a stateless JWT is less effective than a session, which can only be destroyed when it expires, whereas a session can be destroyed manually.
For example, if permission information is stored in the JWT, for example, the current role is admin, but the senior administrator reduces the role of the abuser to user because the JWT owner abuses its rights. However, because the JWT cannot be refreshed in real time, the Settings of the advanced administrator can take effect only when the JWT expires and you are forced to log in again.
Alternatively, the user changes the password after discovering that the token is logged in to from a remote account. In this case, the token is still valid. The remote account can also perform operations including changing the password.
The solution is to store the tokens generated by JWT into redis or the database. When the user logs out or makes other actions to invalidate the tokens, the problem can be solved by deleting the corresponding relationship between the tokens in the database or Redis.
JWT is used in node
I use JWT in this project, and the method is as follows:
Install the JWT library first:
npm install jsonwebtoken
Copy the code
Then create signature data to generate tokens:
let jwt = require('jsonwebtoken');
var token = jwt.sign({ name: 'Joe' }, 'shhhhh');
console.log(token);
Copy the code
Run the program and you’ll see something like this printed out:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoi5byg5LiJIiwiaWF0IjoxNDYyODgxNDM3fQ.uVWC2h0_r1F4FZ3qDLkGN5KoFYbyZrFpRJMO NZrJJogCopy the code
Then, the token string can be decoded like this:
let decoded=jwt.decode(token);
console.log(decoded);
Copy the code
Will print out:
{ name: 'Joe', iat: 1462881437 }
Copy the code
Where iAT is the timestamp, that is, the time at which the signature was made (note: in seconds).
However, we generally do not use the decode method because it simply base64 decodes the claims part.
What we need is to verify that the claims have been tampered with.
We need to use the verify method:
let decoded = jwt.verify(token, 'shhhhh');
console.log(decoded);
Copy the code
Although the printed content is the same as the decode method. But it is verified.
We can change the checksum key, for example, to SHZZZZ, so that the sum encryption key is inconsistent. Then the decoding will be an error:
JsonWebTokenError: invalid signature
Copy the code
We can also secretly modify the claims or header part of a token and get an error:
JsonWebTokenError: invalid token
Copy the code
Finally, according to your own needs, decide whether to store the generated token in the database or Redis, but it is recommended not to store sensitive information such as user passwords.