Shulou(Shulou.com)06/03 Report--

Today, I would like to talk to you about the use of token PHP, many people may not know much about it. In order to make you understand better, the editor summarized the following content for you. I hope you can get something according to this article.

The use of token in PHP: 1, the client user enters the user name and password and then logs in, requests token;2, uses the JWT specification to generate token;3 and verify the timeliness of token; 4, the client requests data with token.

This article operating environment: windows7 system, PHP7.1 version, Dell G3 computer.

What is the method of using token PHP?

Generation and use of php token

1. Why use tokent to log in

If the front and rear ends are separated or in order to support multiple web applications, there will be great problems in using the original cookies or session.

Cookie and session authentication can only be carried out under the same primary domain name (currently, session can be stored in redis for resolution).

two。 Solution

Oauth3 and jwt

Jwt: is a safety standard. The basic idea is that the user provides the user name and password to the authentication server, and the server verifies the validity of the information submitted by the user; if the verification is successful, a token (token) is generated and returned.

OAuth3: is a secure authorization framework. It describes in detail how different roles, users, service front-end applications (such as API) and clients (such as websites or mobile APP) authenticate each other in the system.

(jwt is used here, and JSON Web Token is used for authentication.)

3. Generation method

Header: encryption typ

Description: message content

Key: a random code is used to encrypt

The above three parts are used. Connect and encrypt using hs256 to generate tokent

4. Detailed generation method

1)。 The header usually consists of two parts: the type of token (i.e. JWT) and the encryption algorithm used (such as SHA256 or RSA)

{"alg": "HS256", "typ": "JWT"}

The json is then encoded by Base64Url as the first part

2)。 The payload is a declaration. The declaration is the part about the entity.

{"exp": "1525785339", "sub": "1234567890", "name": "John Doe", "admin": true}

Then encode the payload Base64Url as the second part

PS: although this information is protected from tampering, it can be read by anyone. Do not put important information in it unless encrypted)

3)。 Use an encrypted key

4)。 Signature, need to use the first part after encoding, the second part after encoding, and then a key key. Use the encryption algorithm in the first part for signature

HMACSHA256 (base64UrlEncode (header) + "." + base64UrlEncode (payload), key)

This signature is used to verify that the message has been tampered with.

(PHP uses the crypt method for encryption. Note: the two concepts of SHA-256 for tampering protection and AES-256 for encryption are not the same)

5. Token storage location

Usually, you should add JWT (Authorization: Bearer) to the Authorization field in the header header of the request using Bearer mode (of course, you can also put it anywhere, such as passing it as a parameter after URL, as long as the client can recognize it, but since JWT is a specification, we'd better follow the specification)

Undefined

6. Mode of use

After entering the user name and password, the client user logs in and requests token

After receiving the request, the server uses the specification of JWT to generate token and return it to the client.

After receiving the token and decrypting it, the client verifies the timeliness of the token (the expiration time of the token) and saves it.

The client requests data with token

After the server receives the token decryption, it verifies the user's identity, verifies the timeliness, and then authenticates the user.

7. Shortcoming 1. Cannot invalidate issued tokens (refresh usage period for token) 2. It is not easy to deal with expired data (support token failure)

So if you use token, then if token is caught, you can fake it. Therefore, if the security is relatively high, it is recommended to use oauth3.

After reading the above, do you have any further understanding of how to use token PHP? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.