What is a token

Token means “token” and is a string generated by the server as an identifier for a client to make a request.

When a user logs in for the first time, the server generates a token and returns the token to the client. The client only needs to bring the token to request data without the user name and password.

The composition of simple token; Uid (unique user identification), time(timestamp of the current time), and sign (signature) are hexadecimal characters of a certain length compressed using the hash algorithm. To prevent token disclosure).

 

Overview of Identity authentication

Since HTTP is a stateless protocol, it does not know who is accessing our application. The user is treated like a client, and the client is authenticated with a username and password, but the next time the client sends a request, it has to be authenticated again.

General solution is, when the user login request, if no problem, on the server to generate a record, in the record to show who is the user login, and then put the record id is sent to the client, the client receives after the id is stored in a cookie, the next time the user to send the request to the server again, You can bring the cookie, so that the server side will verify the information in the cookie, to see if the server side can find the corresponding record, if so, it indicates that the user has been authenticated, the user request data will be returned to the client side.

The procedure described above uses the session, and that ID value is the sessionID. We need to store sessions generated for the user on the server, and these sessions can be stored in memory, disk, or database.

 

Token-based identity authentication

The token authentication method does not need to store user login records on the server. General process:

  1. The client requests login using the username and password.
  2. The server receives a request to verify the user name and password.
  3. After successful authentication, the server generates a token and sends the token to the client.
  4. The client receives the token and stores it in a cookie or Local Storage.
  5. Each time the client sends a request to the server, it must carry the token sent by the server.
  6. The server receives the request and verifies that the request contains the token. If the verification succeeds, it returns the requested data to the client.

You can use the token mechanism for login authentication in the following ways:

A. Use the MAC address of the device as the token

Client: The client obtains the MAC address of the device during login and passes the MAC address to the server as a parameter

Server: The server receives this parameter, uses a variable to receive it, stores it in the database as a token, and sets the token to the session. The client intercepts each request and compares the tokens transmitted by the client with those in the session on the server. If the same token is used, the login succeeds; if the different token is rejected.

In this mode, the client and server have a unique ID and each device has a unique ID. The disadvantage is that the server needs to save the MAC address. The advantage is that the client does not need to log in again. The client can be used after logging in once. The timeout problem is handled by the server.

B. Use the sessionID as the token

Client: The client logs in with the user name and password

The server: verifies the user name and password, and returns the locally obtained sessionid as a token to the client. The client only needs to bring the requested data.

The advantage of this method is that it is convenient and does not store data. The disadvantage is that when the session expires, the client must log in again to request data.

For some applications with high security, the MAC address and user name and password can be used as tokens for authentication.

 

The APP uses the token mechanism for identity authentication

When a user logs in to the APP, the APP sends the encrypted user name and password to the server. The server verifies the user name and password. If the authentication is successful, the server generates the corresponding character output as a token and stores the token in the server, and returns the token to the APP.

In the future, when the APP requests again, the token should be carried wherever verification is needed. Then the server side verifies the token and returns the required result successfully, and returns an error message when the application fails, allowing the user to log in again. The server sets an expiration date for the token and verifies the token and expiration date each time the APP requests it.

 

Token storage

The token can be saved in the database, but it may take too long to query the token and cause the token to be lost.

To avoid long query times, you can place tokens in memory. If the token is a 32-bit string and the number of users is in the millions or tens of millions, it won’t take up much memory.

 

Token of encryption

Tokens are easy to leak, and if they are not encrypted, they can be easily copied and used for login. Encryption methods generally include:

  1. The token is symmetrically encrypted when stored and decrypted when used.
  2. The signature sign mentioned at the beginning of the article: the request URL, timestamp and token are combined and encrypted through the algorithm.

It’s best to use a combination of the two.

Also, it is dangerous to transfer tokens in plaintext at the network level, so always use HTTPS.

 

This article reprinted from www.toutiao.com/i6499626658…