1. A token can also be called a token, and generally consists of uid+time+sign(signature)+[fixed parameter]

    Uid: indicates the unique user id. Time: indicates the timestamp of the current time. Sign: indicates the signaturehash/encrypt Compressed into a hexadecimal string of fixed length to prevent malicious third-party concatenation of fixed parameters (optional): Common fixed parameters are added to the token to avoid repeated database searchesCopy the code

  2. The token is stored in localStorage, cookie, or sessionStorage on the client. Typically stored in a database on a server

  3. Token authentication process

    After the user logs in successfully, the server returns the Token to the client. After receiving the data, the client saves it in the client. When the client accesses the server again, the token is added to the headers or the server uses the filter to verify each request. If the verification succeeds, the request data is returned; if the verification fails, an error code is returnedCopy the code

  4. Token can resist CSRF, cookie+session cannot

  5. Session status is stored in the server memory or hard disk. When servers are distributed or clustered, session load balancing is a problem. Load balancing In the case of multiple servers, it is difficult to check whether the current user is logged in because the multiple servers do not share sessions

  6. The client logs in and sends the information to the server. After receiving the information, the server encrypts the user information (token) to the client. The client stores the token in a container such as localStroage. The client passes the token on each access, and the server decrypts the token to know who the user is. Through CPU encryption and decryption, the server does not need to store session to occupy storage space, which is a good solution to the problem of load balancing multiple servers. This method is called JWT(Json Web Token)