Shulou(Shulou.com)06/01 Report--

This article shows you how to understand cookie, session and JWT in session management. The content is concise and easy to understand, which will definitely brighten your eyes. I hope you can gain something through the detailed introduction of this article.

Storage location

All three are used in web to supplement http stateless protocol to achieve the purpose of state maintenance.

The information in cookie:cookie is stored in the browser in the form of key-value pairs, and the data can be seen directly in the browser. The following is a screenshot of safari's cookie:

Session:session is stored in the server, and then a cookie is sent to be stored in the browser. Session_id is stored in cookie, and then each request server can obtain the corresponding session information through session_id.

The JWT:JWT is stored in the browser's storage or cookie. The encrypted json data generated by the server consists of three parts: header,payload and signature. Generally speaking, header consists of the generation algorithm and type of token; payload is used to store relevant state information; the signature part is generated by three parts of header,payload,secret_key encryption. Note that do not place sensitive information in the payload or header of JWT unless they are encrypted. The following is a screenshot of the official website:

Advantages and disadvantages

Cookie:

Advantages:

The structure is simple. Cookie is a lightweight text-based structure that contains simple key-value pairs.

The data is persistent. Although the duration of cookie on the client computer depends on cookie expiration processing and user intervention on the client, cookie is usually the longest-lasting form of data retention on the client.

Disadvantages:

The size is limited. Most browsers have a limit of 4096 bytes on the size of cookie, although it has become more common in today's new browser and client device versions to support a 8192-byte cookie size.

It's very unsafe. Cookie exposes data in browsers, which greatly increases the risk of data theft, so we should not put the data we want in cookie or encrypt the data.

Vulnerable to csrf attacks. Csrf_token can be set to avoid attacks.

Session:

Advantages:

The information of session is stored on the server, which increases the security of data to a certain extent compared with cookie; compared with jwt, it is convenient to manage, that is, when users log in and log out actively, they only need to add and delete the corresponding session, which is very convenient to manage.

Disadvantages:

Session is stored on the server, which increases the cost of the server. When there are many users, the performance of the server will be greatly reduced.

Because user identification is based on cookie, if cookie is intercepted, users will be vulnerable to cross-site request forgery attacks.

After user authentication, the server makes authentication records. If the authentication records are kept in memory, this means that users must request on this server for their next request in order to get authorized resources. In this way, the ability of load balancing and cluster level expansion in distributed applications will be limited.

JWT:

Advantages:

Because of the versatility of json, jwt can support cross-language requests, and many languages such as JAVA,JavaScript,PHP can be used.

Because of the payload section, JWT can store some insensitive information necessary for other business logic on its own.

Easy to transmit, the composition of JWT is very simple, and the byte occupation is very small, so it is very easy to transmit.

There is no need to save session information on the server side, which is conducive to the horizontal expansion of the server.

Disadvantages:

Login status information renewal problem. For example, if you set the validity period of token to one hour, then if the user is still on the web application after an hour, you can't expect the user to log in again at this time. The currently available solution is to return a new token every time the user makes a request, and the front end replaces the old one with the new token, so that each request refreshes the validity of the token. But in this way, token needs to be generated frequently. Another option is to determine how long the token will expire and return a new token when the token is about to expire.

The user actively logs out. JWT does not allow users to log out actively, and the client can still be accessed by using token elsewhere. To support logout, my solution is to add the token to the server's redis blacklist when logging out.

The difference between JWT and OAuth

These two concepts are always confused, so they are introduced together.

OAuth3 is an authorization framework that is used when logging in using a third-party account (such as logging in to an app using weibo, qq, github)

JWT is an authentication protocol, which is used to separate the front and back end and is used when the background API is simply protected. No matter which way you use, remember to use HTTPS to ensure the security of your data.

The above is how to understand cookie, session and JWT in session management. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.