keywords
Login authentication, Login mode, Session, Token, refreshToken, cookie
Why do I need login authentication?
The Web was originally just about browsing data, and everyone came to the site to see the same data. However, with the rise of the Internet industry, shopping websites and forum websites emerge one after another. The Web needs to record who logs in to the website and what the exclusive data of these people are, without affecting each other.
For example, if I add an item of clothing to my cart on a particular app and wake up the next day to find that someone else has emptied my cart, it’s off the rails.
So there is a login process where the user enters an account number and password to prove that “you are you” and the server can distinguish between different users.
How to maintain login state?
However, HTTP is a stateless protocol. Every time the client and server complete the session, that is, after the user closes the web page, the server will not save any session information **, so each time you have to re-enter the account password to log in again, which is very bad for the user experience.
Therefore, an identifier is needed to let the server know that this person was logged in last time without having to enter the account password again.
Then we can generate a random string session_ID in the server for the first session and store it in the library, and pass it to the client. The client will bring it to the next session when the client initiates the session, and the session_ID stored in the server indicates that the user has accessed the session last time and does not need to log in.
How to reduce the pressure on the server?
Session_id can be used to maintain login status and optimize the customer experience. However, if the site has a large number of users, for example, the total number of users of the site is ten million, wouldn’t it be necessary to store ten million session_id at the same time? That’s a lot of overhead on the server side.
Since the server can not save, can you save the identifier to the client, the server just do verification.
At first glance, the process is similar to the session_id above, more than just a server-side validation process, in fact, the above also have a check, but the above calibration is to find have not sesson_id library, and we are here to change train of thought.
First Login:
The server stores an encryption algorithm and a secret key. Upon the first login, the server combines the data obtained by the user and the secret key with the encryption algorithm to generate a signature, and then combines the data and signature into a token and sends the token to the client
token, the server parses the data in the token, combines the data with the secret key encryption algorithm to generate the signature, and finally generates the signature andtokenIf the user has logged in before, the user does not need to log in again
How do I store tokens?
Since the token is put on the client, we can use cookies to store it.
A cookie is a small piece of data that the server sends to the user’s browser and keeps locally. It is carried and sent to the server the next time the browser makes a request to the same server.
In addition, each cookie is bound to a single domain name and cannot be obtained and used under other domain names.
| attribute | instructions |
|---|---|
| domain | Specify the domain name to which the cookie belongs |
| path | Specifies the path (route) under which the cookie takes effect. Default is ‘/’ |
| expires | Expiration time: days |
How do I refresh the token?
refreshToken
refreshTokenThe biggest effect is actually whenaccessTokenWhen the week expires, take itrefreshTokenTo exchange for the latestaccessTokenandrefreshToken, so as long as the user has logged in within a month, will never re-enter the account, password explicit login (except the user voluntarily logged out or clearedtoken)
If the user has never logged in within a month, refreshToken is invalid and the login will definitely be displayed
Other problems
Consultant side, doctor side AXIos package difference problem, see code