Shulou(Shulou.com)06/02 Report--

This article mainly explains "what is Token mechanism". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let Xiaobian take you to learn "What is Token Mechanism"!

The Internet has reached a very mature era, so it is no longer an era when you can write a static website and make crazy profits. There are a lot of demands on products right now, robustness, security--these are all essential. The first two articles also said that now the company's general user login success will return a token to the front end, and the front end access interface request data needs to carry the token for authentication. We keep saying token, so what exactly is token? Token is actually a token, a string of characters generated by the server, parsing can get user information.

Because HTTP is a stateless protocol, there is no way to remember a user's login status. So the client needs to verify identity every time it requests, and the earliest solution is: When the user requests to log in successfully, a record is generated at the server, and then the record id is sent to the client. After receiving it, the client stores this id in a cookie. The next time the user sends a request to the server, he can bring this cookie with him. In this way, the server will verify the information in the cookie to see if the corresponding record can be found at the server. If it can, it means that the user has passed the identity verification. The data requested by the user is returned to the client. In fact, this solution is to use the session id value, which is actually the sessionid. If we can use session authentication, why do we choose token?

1. Session requires space for storage. If it is a multi-server session, synchronization information is required, but token does not need to store user information on the server.

2. Token can use localStorge of browser, etc. APP can also use its own database to store strings. There will be no cross-domain problems with cookies.

3. Token can use JWT to carry some less sensitive information such as user ID, etc., and the server can use some information as long as it decrypts the token.

Having finished with token verification, we need to know the whole process of token verification:

1. After the user successfully logs in, the server will generate a token through the specified algorithm, the expiration time is 48h, the token can be stored in redis, and then the token value will be returned to the client;

2. After the client gets the token value, save it;

3. When the client invokes the interface to request data, it will carry the token value and send it to the server;

4. When the server receives a request from the client, it takes the token value and compares it with the token value stored in redis.

5. If the token comparison is successful, it means that the user is in the login state, otherwise it means that the login state is invalid and the user needs to log in again. Each time the user logs back in, the token's expiration time is refreshed.

Next, let's walk through the whole process with code:

First of all, we implement login logic. This set has nothing to say. You can go to an article: Interaction between front and back separation that you don't know (2)

The user logs in for the first time to match the account password in the database. If the match is successful, the user unique identifier uid,account and other basic data will be returned. Next we need to generate a token using the specified algorithm

We generate a simple token: TKN:3:Q:d:8zTEiTJEJ7dee:AOK_H5 through user app_sid and account, and then go to redis to query whether the token with this simple token as the key exists.

If the user token already exists in redis, delete the token. Then create a new token.

Store the new token in redis, using the same key name as simple token and the key value as the final generated token. The expiration time is set to 48 hours.

Here we generate token operation is all perfect. The basic process is that if the user successfully logs in, app_sid and Mr. account will be combined into a simple token, and redis will query whether the token exists. If it exists, delete the token, and then use a specific algorithm to convert the simple token into the final token stored in redis. Then return the token to the front end for storage.

You can see that we successfully returned the token to the front end. Now we also need an interface to validate tokens. Because we store the token directly in redis, we can directly query whether the token exists in redis when we receive the token passed by the front end. If the token exists, it means that the user is in login state and returns data to the front end. Otherwise login failed, prompt please login first.

Each time the front end requests a common data interface, it verifies the validity of the token. This way we can implement token-based permission verification. But this logic has shortcomings, because we use token theoretically the server can not store, directly specify the encryption and decryption algorithm, I here because of the random algorithm used to generate token, can not reverse decryption, so can only be stored in redis for processing. In fact, I think a better solution is to design encryption and decryption algorithms directly. The server uses encryption algorithms to generate tokens and return them to the front end. Each time the front end requests the universal data interface to carry tokens, the server directly receives the tokens from the front end for reverse decryption. If the decryption succeeds, you can get basic information such as the user's uid. If the decryption fails, the front end will be prompted to log in first.

At this point, I believe everyone has a deeper understanding of "what is Token mechanism". Let's do it in practice! Here is the website, more related content can enter the relevant channels for inquiry, pay attention to us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.