Advantages of token mechanism over cookie mechanism

When the client frequently requests data from the server , The server will frequently go to the database to query the user name and password and compare them , Judge whether the user name and password are correct or not , And give corresponding prompt , In this context Token It came into being .

Simply speaking ,Token Is a string generated by the server , As a token for the client to make the request , After the first login , The server generates a Token This is what we call it Token Return to the client , In the future, the client only needs to bring this Token Just come and ask for data , No need to bring user name and password again , The purpose is to reduce the pressure on the server , Reduce frequent database queries , Make the server more robust .

Generate Token Data encryption in the process

The client requests the server to generate token In the process of , There are two main situations in which data needs to be encrypted . First, you need to pass the user name and password when logging in for the first time , The password cannot be transmitted in clear text , need RSA To encrypt , Send it to the server and decrypt it through the private key . Second, the server transmits for the first time token When giving to the client, you can token Conduct RSA encryption , The client decrypts through the private key , Here's the picture ：

Have a brief understanding of Token The formation process and action of , Let's discuss the common authentication mechanism , There are mainly HTTP Basic Auth（HTTP Basic Authentication ）、OAuth（ Open licensing ）、Cookie Auth、Token Auth Four mechanisms .

HTTP Basic Auth

HTTP Basic Auth（HTTP Basic Authentication ）, Simply put, every time request API Provide users with username and password, in short ,Basic Auth It's cooperation RESTful API The simplest way to use authentication , Just provide the user name and password , But because of the risk of exposing the user name and password to a third-party client , Less and less is used in the production environment . therefore , In the process of opening up to the outside world RESTful API when , Try to avoid HTTP Basic Auth

OAuth

OAuth（ Open licensing ） It's an open authorization standard , Allow users to let third-party applications access the user in a web Private resources stored on services （ Such as photos , video , contact list ）, Instead of providing a user name and password to a third-party application .

OAuth Allows the user to provide a token , Instead of user names and passwords to access what they store in a particular service provider data . Each token authorizes a specific third-party system （ for example , Video editing sites ) At certain times （ for example , Next 2 Within hours ） To access specific resources within （ For example, it's just a video in an album ）. such ,OAuth Allow users to authorize third-party websites to access certain specific information they store with other service providers , Not everything Here is OAuth2.0 The process of ：

This is based on OAuth The authentication mechanism of is applicable to the Internet products of individual consumers , Such as social APP And so on , However, it is not suitable for enterprise applications with self certification authority management .

Cookie Auth

Cookie（ Data stored on the user's local terminal ） The authentication mechanism is to create a server for one request authentication Session object , At the same time, a Cookie object ; Bring it up through the client Cookie Object to communicate with the server side session Object matching to achieve state management . default , When we close the browser ,cookie Will be deleted . But it can be modified cookie Of expire time send cookie It works for a certain period of time ;

Cookie It is mainly used in the following three aspects ：

1、 Session state management , Such as user login status 、 The shopping cart 、 Game score or other information to be recorded ;

2、 Personalization , Such as user-defined settings 、 Theme, etc ;

3、 Browser behavior tracking .

Token Auth

Token Auth The advantages of

Token The mechanism is relative to Cookie What are the benefits of the mechanism ？

1. Support cross domain access ：Cookie Is not allowed to cross domain access , That's right Token There is no mechanism , The premise is that the transmitted user authentication information passes HTTP Head transmission .

2. No state ( Also known as ： Server extensible line )：Token The mechanism does not need storage on the server session Information , because Token It contains the information of all users who log in , Just on the client side cookie Or local media storage status information .

3. More suitable CDN： You can request all the data of your server through the content distribution network （ Such as ：javascript,HTML, Pictures, etc ）, And your server only provides API that will do .

4. decoupling ： There is no need to bind to a specific authentication scheme .Token It can be generated anywhere , Just in your API When called , You can do Token Generate the call .

5. More suitable for mobile applications ： When your client is a native platform （iOS, Android,Windows 8 etc. ） when ,Cookie It's not supported （ You need to go through Cookie Container for handling ）, Use Token The authentication mechanism will be much simpler .

6.CSRF： Because it no longer depends on Cookie, So you don't have to think about it CSRF（ Cross-site request forgery ） Prevention of .

7. performance ： A round trip time of network （ Query through database session Information ） It's always a comparison HMACSHA256 Calculation Of Token Validation and parsing take a lot of time .

8. There is no need to do special handling for the login page ： If you use Protractor When doing a function test , No longer need to do special handling for login page .

9. Based on Standardization ： Yours API Standardized... Can be used JSON Web Token (JWT), There are already multiple back-end libraries for this standard （NET, Ruby, Java,Python, PHP） And support from multiple companies （ Such as ：Firebase,Google, Microsoft）.