Shulou(Shulou.com)05/31 Report--

In this article, the editor introduces in detail "how to achieve JWT login authentication based on PHP". The content is detailed, the steps are clear, and the details are handled properly. I hope this article "how to achieve JWT login authentication based on PHP" can help you solve your doubts.

What is JWT1, brief introduction

JWT (JSON Web Token) is an open standard based on JSON for passing declarations between network application environments.

To put it simply, JWT is a kind of Token coding algorithm. The server is responsible for generating the Token according to a password and algorithm, and then sending it to the client. The client is only responsible for carrying the Token in the HTTP header for every subsequent request. The server is responsible for verifying whether the Token is legal, whether it has expired, and can parse the data in subject and claim.

2. The composition of JWT

The first part is the head (header), the second part we call it the load (payload), and the third part is the signature. For intermediate use. Separate]

A standard JWT generates token in the following format:

EyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImp0aSI6IjRmMWcyM2ExMmFhMTEifQ.eyJpc3MiOiJodHRwOlwvXC9leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHA6XC9cL2V4YW1wbGUub3JnIiwianRpIjoiNGYxZzIzYTEyYWExMSIsImlhdCI6MTY0MDE3MTA1MywibmJmIjoxNjQwMTcxMDU0LCJleHAiOjE2NDAxNzQ2NTMsInVpZCI6MjAsInVzZXJuYW1lIjoiTWFrZSJ9.bysUwNIyhqqEyL0JecSHdplSTfE6G6zuCsrAn6eyrQM

The result of parsing JWT Token using https://jwt.io/ is as follows

3. JWT verification process and characteristics.

Verification process:

① declares the encryption algorithm and constants in the header message, and then converts header to a string using json

② declares the user information in the load, along with some other content; once again, use json to convert the load part into a string

③ uses the encryption algorithm declared in header and the randomly generated secret of each project to encrypt the first step of the string and the second part of the string to generate a new string. The word string is unique.

When decrypting ④, as long as the client initiates a request with JWT, the server directly uses secret for decryption.

Features:

① consists of three parts, each of which carries out string conversion

② decrypts without using the database, only using secret for decryption.

The secret of ③ JWT must not be leaked!

④ does not rely on the database, but directly takes out the saved user information according to token, and verifies the availability of token. The verification method is more simple and convenient, and the single sign-on is more simple.

II. Related issues

Does JWT Token need to be persisted in redis or Memcached?

This should not be done, and the stateless jwt becomes stateful, deviating from the original intention that JWT was verified by the algorithm.

How to achieve JWT Token invalidation when logging out?

Log out and log in, as long as the client discards the Token, and the server does not need to abandon the Token.

How to keep the client login for a long time?

The server provides an interface to refresh the Token, and the client is responsible for refreshing the server Token according to certain logic.

3. PHP implementation 1. Introduction of dependency composer require lcobucci/jwt 3. 2, function implementation

Issue token, set issuer, receiver, unique ID, issuing time, immediate effective, expiration time, user id, user username, signature. Among them, user id and user username are the information specially stored in token, and some other information can also be added, so that the information can be obtained directly during parsing, and it cannot be sensitive data.

Verify the token to verify whether the Token is legal, whether it has expired, etc., and can parse the data in subject and claim. The way to pass jwt token is Bearer Token in Authorization, as follows

3. The classes of packaging tools are as follows

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.