First of all, we need to understand the idea of session and token implementation

session

thought

1. The client user name and password are used to request login

2. The server receives the request and goes to the library to verify the user name and password

3. After successful authentication, the server sends a cookie or a character to the client, and the server keeps a session

4. After the client receives the response, the character can be saved to the cookie

5. The client will automatically carry the cookie of the resource each time it requests the server

6. The server receives the request and then authenticates the cookie and session. If the authentication is successful, it returns the requested library data to the client

Session storage location: server memory, disk, or database

Session Storage content: ID, storage time, user name, etc

The client carries: Cookie automatic tape, localStorage manual tape

token

thought

There is no need to store user login records on the server, all of which are sent to the client and saved by the client itself (cookie,local).

1. The client requests the login using the user name and password

2. The server receives a request to verify the user name and password

3. After the authentication is successful, the server will issue a Token (encrypted string) and send the Token to the client

4. After receiving the Token, the client can store it, such as in a Cookie or Local Storage

5. Each time the client requests resources from the server, it needs to carry the Token issued by the server

6, the server received the request, and then to verify the client request with the Token, if the authentication is successful, it will return to the client request data

session vs token

session token
The server saves user information Square root x
Avoid CSRF attacks x Square root
Of installation general high
Multiple server stickiness issues There are There is no
Multiple server stickiness issues

When a session is being read, written, or deleted in an application, a file operation will occur in the temp folder of the operating system, at least for the first time. Suppose there are multiple servers and a session is created on the first service. When you send the request again and the request lands on another server, the session information does not exist and you get an “unauthenticated” response. I know, you can solve this problem with a sticky session. However, in token based authentication, this problem is naturally solved. There is no sticky session issue because the request token is intercepted in every request sent to the server

CSRF

CSRF Full name cross-site request forgery, usually abbreviated as CSRF or XSRF, is a Chinese name for cross-site request forgery. Is an attack method to trick a user into performing unintended actions on a Web application that is currently logged in. A.cSRF attack is made by making a state change request, rather than stealing user data, because the attacker cannot get a response from the server