Shulou(Shulou.com)06/03 Report--

This article mainly talks about "what are the differences between JWT and cookie and token". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Now let the editor take you to learn "what are the differences between JWT and cookie and token?"

Catalogue

one。 Cookie

A) how to authenticate cookie

B) the shortcomings of cookie authentication.

two。 Token

A) the certification process of token

B) the characteristics of token authentication

three。 JWT

A) introduction to JWT

B) JWT composition

C) Why use JWT

D) Maven introduction of JWT

one。 CookieA) how does cookie authenticate

1. The user enters the user name and password and sends it to the server.

two。 The server validates the user name and password, creates a session (session) correctly, and saves the ID of the session to the client browser. Because the storage place is the browser's cookie, this authentication method is called cookie-based authentication.

3. In subsequent requests, the browser will send the session ID to the server, and if the corresponding ID session can be found on the server, the server will return the required data to the browser.

4. When the user logs out, the session is destroyed on both the client side and the server side.

B) the shortcomings of cookie authentication.

1. The server needs to keep session information for each user. Connecting too many users will cause excessive memory pressure on the server.

two。 Suitable for a single domain name, not suitable for third-party requests.

two。 TokenA) the authentication process of token

1. The user enters a user name and password and sends it to the server.

two。 The server validates the user name and password and, if correct, returns a signed token (token can be thought of as a long string), and the browser client gets the token.

3. In each subsequent request, the browser will send token to the server as http header, and the server verifies whether the signature is valid. If it is valid, the authentication is successful, and the data needed by the client can be returned.

4. Once the user logs out, only the client needs to destroy the token, and no action is required on the server side.

B) the characteristics of token authentication

The characteristic of this method is that the client keeps a lot of information in the token, and the server does not store the information, but is only responsible for verification, and there is no need to query the database, so the execution efficiency is greatly improved.

three。 JWTA) introduction to JWT

1.JWT is the abbreviation of json web token. It encrypts user information into token, and the server does not save any user information. The server verifies the correctness of the token by using the saved key and passes the verification as long as it is correct.

two。 The advantage is that in the distributed system, the problem of single sign-on is well solved, and the problem of session sharing is easily solved. The jwt is small in length and can use URL transport (URLsafe). Do not want cookies to work only in web environments. JWT can use both the interface in the web environment and RESTfull.

The disadvantage is that issued tokens cannot be invalidated / it is not easy to cope with data expiration.

B) JWT composition

JWT consists of three parts: Header header, Payload payload, and Signature signature. Token is generated from three parts, using "." between the three parts. The number is divided.

Such as:

EyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

1.Header

There are usually two parts in Header: type: the type that represents token, and here the JWT type is used. Alg: the Hash algorithm used, such as HMAC SHA256 or RSA.

{"alg": "HS256", "typ": "JWT"}

This will be encoded by base64Url to form the first part.

2.Payload

The second part of the token is the load information, which contains some declaration Claim (description of the entity, usually a User information, as well as some other metadata)

There are three categories of declarations:

1) Reserved Claims, this is a set of predefined declarations, not required, this is a set of easy-to-use and operational declarations. Including: iss (issuer), exp (expirationtime), sub (subject), aud (audience), etc.

2) Plubic Claims

3) Private Claims, the custom declaration of both parties exchanging information

{"sub": "1234567890", "name": "John Doe", "admin": true}

The second part is also encoded by Base64Url.

3.signature

Encrypt the encoded header, encoded payload, and a secret using the algorithm specified in header.

For example, the HMACSHA256 algorithm is used, and the general process is similar to: HMACSHA256 (base64UrlEncode (header) + "." + base64UrlEncode (payload), secret)

This signature field is used to identify the sender of the JWT message and to ensure that the information has not been modified.

C) Why use JWT

Compared to the XML format, JSON is simpler and smaller after coding, which makes JWT more concise than SAML and more suitable for delivery in HTML and HTTP environments.

In terms of security, SWT can only sign using the HMAC algorithm and a shared symmetric key, while JWT and SAML

Token can sign using X.509 certified public and private key pairs. Compared with simple JSON, XML and XML digital signatures introduce complex security vulnerabilities.

Because JSON can be mapped directly to objects, JSON parsers are provided in most programming languages, while XML does not have such a natural document-object mapping relationship, which makes it more convenient to use JWT than SAML

Java json web token utility class

D) JWT's Maven introduced io.jsonwebtoken jjwt 0.9.0 to this point. I believe you have a deeper understanding of "what's the difference between JWT and cookie and token". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.