Shulou(Shulou.com)06/02 Report--

This article introduces the relevant knowledge of "how PHP realizes the Token login authentication of JWT". In the operation of the actual case, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

1. Introduction to JWT

JSON Web Token (abbreviation JWT) is the most popular cross-domain authentication solution at present.

Session login authentication scheme: the user passes the user name, password and other information from the client. After authentication, the server stores the information in the session and puts the session_id in the cookie.

Later, visit other pages, automatically get session_id from cookie, and then get authentication information from session.

Another kind of solution is to return the authentication information to the client and store it to the client. The next time you visit another page, you need to pass the authentication information back to the server from the client.

JWT is the representative of this kind of scheme, which stores the authentication information in the client.

2. The principle of JWT

The principle of JWT is that after the server is authenticated, an object in JSON format is generated and sent back to the client, as shown below.

{"user name": "admin", "role": "Super Admin", "Expiration time": "2019-07-13 00:00:00"}

In the future, when the client communicates with the server, it will send back this JSON object. The server relies entirely on this object to identify the user.

To prevent users from tampering with data, the server will add a signature when generating this object (see later).

The server no longer holds any session data, that is, the server becomes stateless, making it easier to extend.

3. How to use JWT

The client receives the JWT returned by the server, which can be stored in Cookie or localStorage.

Since then, the client will bring this JWT with it every time it communicates with the server. You can send it automatically in Cookie, but it's not cross-domain, so it's better to put it in the header Authorization field of the HTTP request.

Authorization: Bearer

Alternatively, when crossing domains, the JWT is placed in the data body of the POST request.

4. Several characteristics of JWT.

(1) JWT is not encrypted by default, but it can also be encrypted. After the original Token is generated, it can be encrypted again with the key.

(2) if JWT is not encrypted, secret data cannot be written to JWT.

(3) JWT can be used not only for authentication, but also for exchanging information. Effective use of JWT can reduce the number of times the server queries the database.

(4) the biggest disadvantage of JWT is that because the server does not save the session state, it cannot abolish a token or change the permissions of token during use. That is, once the JWT is signed, it will remain valid until it expires, unless the server deploys additional logic.

(5) JWT itself contains authentication information, and once disclosed, anyone can get all the permissions of the token. To reduce embezzlement, the validity period of JWT should be set to be short. For some of the more important permissions, users should be authenticated again when using them.

(6) in order to reduce embezzlement, JWT should not use HTTP protocol for clear code transmission, but should use HTTPS protocol for transmission.

5. Function realization

JWT functional components

Install JWT feature components using composer

Composer require lcobucci/jwt 3.3

Encapsulate the JWT utility class (see https://github.com/lcobucci/jwt/tree/3.3)

Extend/tools/jwt/Token.php

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.