Session cookies and tokens

session-cookie

Using the server session And the browser cookie To achieve front and rear end authentication , Created on the server session aggregate , Maintain the requests of the same client in their respective session in , Whenever the server receives the browser's cookie When asked , Will be in session Query the corresponding s_id, If there is, confirm the identity successfully .

shortcoming ：

The server needs to store Session, And because of Session You need to find it often and quickly , Usually stored in memory or memory database , At the same time, when there are many online users, it needs to occupy a lot of server resources .

Vulnerable CSRF attack : be based on cookie A cross site forgery attack , be based on cookie To identify users , The user carries the value ,cookie Intercepted , Users can easily be forged ;
Poor expansion ： When you need to expand , establish Session Your server may not be an authentication server Session Server for , So you need to put all Session Store and share separately .

Token authentication

Token Authentication is also called token , It is a stateless authentication method , There is no need to store user information in the server or Session The server internal friction problem is removed in ; When the user logs in for the first time , The server generates a token And back to the client , Except that the client will save token Beyond invalidation or deletion , In the next request , Just take this token to request data .

1. The user sends the request through the user name and password ;
2. Program validation ;
3. The program returns a signed token To the client ;
4. Client store token, And every request comes with it ;
5. Server side validation token And return the data .

advantage

1. The server does not need to store information related to user authentication , Authentication information will be encrypted to Token in , The server only needs to read Token The authentication information contained in the .
2. Avoid sharing Session Resulting in problems that are not easy to expand .
3. Don't rely on Cookie, Effectively avoid Cookie It brings CSRF Attack problem
4. Use CORS Can quickly solve cross domain problems .