Cookie

A Cookie is an area of data that the server sends to the user's browser and stores locally. Break it down: A Cookie is a storage area on the client side. Values in this storage area can be assigned by the server. In addition, cookies are not allowed to cross domains. Each Cookie is bound to a single domain name, but the level-1 domain name and level-2 domain name can be shared through domianCopy the code

Developer mode -Application-Cookies Below is an example

Session

It is a mechanism to record the session state between the client and the server. It is implemented based on cookies. JSESSIONID(session id) is stored in cookies, and session details are stored on the server (developers' customization).Copy the code

Token

The client carries a token to the server to access the resource, and the server parses the token to determine whether the request is authorized or not. The token is stored on the client, either in Cookie or localStorage. The token can be passed to the server as a parameter. Basic process: User login - The server encrypts user information as a token string and returns it to the client - The client stores it locally - The client carries a token when requesting resources - The server parses the token to determine whether the client has access permissionCopy the code

JWT (JSON Web Token)

A solution for cross-domain authentication. Basic Principles: Once authenticated, the server generates a JWT string, which the client carries with it when communicating with the server. (It looks similar to a token, but note that token is a token, and JWT is a solution. In order to solve the problem that cookies cannot cross domains, we put the TOKEN JWT string in HTTP request header Authorization, such as: Authorization: Bearer <token> JWT features: (1) JWT is not encrypted by default, but it can be encrypted. Once the original Token is generated, it can be encrypted again with the key. (2) If JWT is not encrypted, secret data cannot be written to JWT. (3) JWT can be used not only for authentication, but also for information exchange. Using JWT effectively can reduce the number of times the server queries the database. (4) The biggest disadvantage of JWT is that the server does not store the session state, so it cannot revoke a token or change the permission of the token during use. That is, once a JWT is issued, it remains valid until expiration, unless the server deploys additional logic. (5) JWT itself contains authentication information, once disclosed, anyone can obtain all permissions to this token. To reduce theft, JWT expiration dates should be shorter. For some important permissions, the user should be authenticated again. (6) In order to reduce embezzlement, JWT should not use HTTP protocol for explicit code transmission, but HTTPS protocol for transmission.Copy the code

Refer to the article

Juejin. Cn/post / 684490… www.ruanyifeng.com/blog/2018/0…

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Cookie Session Token JWT understood

Cookie

Session

Token

JWT (JSON Web Token)

Refer to the article

Cookie Session Token JWT understood

Cookie

Session

Token

JWT (JSON Web Token)

Refer to the article

Related Posts

A few things about the developer environment in Chengdu

Git Flow

Easy to learn java-Agent