Token, cookie and session

token、session and cookie What is it ？

http It's a stateless protocol

What is statelessness ？

That is to say, this request has nothing to do with the last one , Don't know each other , Not related . The advantage of this statelessness is that it is fast .

cookie

cookie There is a way to identify users in the browser , The server signs and issues unused for each user session id Send it to the browser and store it in cookie in , I will bring this with me on my next visit session id, The server will know which user this access is .

cookie Problems faced ：

• CSRF（ Cross-site request forgery ） attack , This is easier to solve , Many frameworks block this issue

• Some clients do not support cookie, Manual setting required , Like an applet

• The browser to cookie Limited , You can't set it manually cookie, There's a problem with mixed nesting development , For example, small program jump H5 page , Can't carry cookie

• Browser for single cookie The saved data cannot exceed 4k, Many browsers restrict a site from being saved 20 individual cookie

session

session（ conversation ）, It is a way to identify users in the server , The server generates different for each user session id, And the corresponding information , Such as user id And login time, etc .

session Problems faced ：

• Load balancing with multiple servers , It's not easy to confirm whether the current user is logged in , Because multiple servers don't share session. This problem can also be session Exist in a server to solve , But it can't achieve the effect of load balancing completely

• Each client only needs to store its own session id, But the server needs to store all users' information session id, It's also a pressure on the server

Be careful ：

• cookie Just to achieve session One of the solutions . Although it's the most commonly used , But it's not the only way . Ban cookie There are other ways to store , For example url in

• Now it's mostly session+cookie, But only session no need cookie, Or just cookie no need session, In theory, you can keep the conversation state . But in reality, for many reasons , It is not used alone

• use session Just keep one on the client side id, In fact, a large amount of data is stored on the server . If you use it all cookie, When the amount of data is large, the client does not have so much space

• If only cookie no need session, Then all the account information is saved in the client , Once hijacked , All information will be leaked . And the amount of client data becomes larger , The amount of data transmitted on the network will also increase

token

token Also known as token , from uid+time+sign+【 Fixed parameter 】

• uid： The unique identity of the user

• time： Timestamp of current time

• sign： Signature , Use hash/encrypt Compressed into fixed length hexadecimal string , To prevent malicious splicing by third parties

• Fixed parameter （ Optional ）： Add some common fixed parameters to token In order to avoid repeated search

token The authentication method of is similar to the temporary integer signature , And it is a server stateless authentication method , Unusual use and REST API Scene .

token In the client, it is generally stored in localStorage,cookie, or sessionStorage in . In the server, it is usually stored in the database

summary

• session Storage and server , It can be understood as a list of States , Have a unique identifier sessionId, Usually stored in cookie in . Server received cookie After that, it is concluded that sessionId, Go again session Find... In the list , To find a response session.

• cookie Similar to a token , Equipped with sessionId, Store on client , Browsers usually add

• token It is also similar to a token , No state , User information is encrypted to token in , Server received token After decryption, you can know which user , It needs to be added manually by the developer