The HTTP protocol is stateless, meaning that the server cannot respond to different messages to different clients. So some of the interactive business can’t be supported. Cookies came into being.
Cookie
Take a look at the Cookie’s appearance level using the F12 developer tools
As you can see from the figure, cookies include the following contents: Name, Value, Domain, Path, Expires/max-age, Size, HttpOnly, Secure, SameSite, Priority.
Cookie delivery goes through these four steps
- The Client sends an HTTP request to the Server
- The Server responds with set-cookie header information
- The Client saves the Cookie and then requests the Server with the Cookie header
- The Server knows who the Client is from the Cookie and returns the corresponding response
Cookie English translation is dessert, the use of Cookie can automatically fill in the user name, remember the password, is a little sweet to the user.
After the Server receives the Cookie, what information can it use to determine which Client it is? SessionID of the server.
Session
If the user name, password and other important privacy are stored in the Cookie of the client, there is still the risk of disclosure. For greater security, confidential information is stored on a server, called a Session. Session is a client file maintained on the server. It can be understood as a user table stored in the server database, which stores the user information of the client. SessionID is the primary key ID of this table.
Cookie saves the SessionID
Session information stored on the server occupies memory. With more users, the overhead is bound to increase. In order to improve efficiency, we need to do distribution and load balancing. Because the authentication information is stored in memory, the user must access the same server next time to get the authorization information, which limits the ability of load balancing. In addition, there are cookies in SeesionID, and there are still risks of exposure, such as CSRF.
How to solve these problems? Token-based authentication.
Token
First, Token does not need to store user information, saving memory. Second, because no information is stored, clients can also access different servers for authentication, which enhances scalability. The Token can then be signed using different encryption methods, improving security.
A Token is a string
The process of Token transfer is similar to that of Cookie, except that the transfer object becomes Token. After a user requests the server using the username and password, the server generates a Token and returns the Token to the client. When the client requests the Token again, the server uses the Token for authentication.
Token solves the Session problem well, but it is still not perfect. When authenticating the Token, the server still needs to query the authentication information in the database for verification. In order to authenticate directly without checking the library, JWT appears.
JWT
JWT stands for JSON Web Token. JWT stores all the information itself, including username and password, encryption information, and stores it as JSON objects.
JWT looks like xxXXX.yyyyy.zzzzz, very artistic. It includes three parts
-
Header
The value includes the token type and encryption algorithm (HMAC SHA256 RSA).
{ "alg": "HS256"."typ": "JWT" } Copy the code
-
Payload
Transfer content.
{ "sub": "1234567890"."name": "John Doe"."admin": true } Copy the code
-
Signature
Add salt. Secret (the server’s private key).
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret) Copy the code
Put on some makeup. Nice
Can to JWT. IO / # debugger – I…
Put a coat on Token
Authorization: Bearer <token>
Copy the code
This is the format we see in the request Header.
I will write the technical details of JWT in Go Test Development (III) JWT Certification.
A brief review of
This article briefly introduced the concepts of Cookie, Session, Token, JWT, and why these technologies are needed. As for the more in-depth principle and code use, please readers to study oh. At least this article will make sense to you, so you won’t feel strange. Ha, ha, ha.
The resources
JWT. IO/introductio…
jwt-handbook-v0_14_1