The differences and connections among cookies, sessions, JWT, and tokens

Cookie、Session、JWT、Token Differences and connections

http Stateless request

• Network communication uses http agreement , There is no correlation between each request

Access interface requires authentication

• The back-end interface cannot be exposed to the outside , Only authenticated requests can be accessed , Common authentication methods such as ： User name, password 、 SMS verification code , but http It's stateless , Every request requires authentication ;
• You don't want to enter your user name and password every time you send a request , You can put the user name and password in the browser , But once the browser is attacked , All passwords will be revealed ;

Cookie

• There is a store in the browser Cookie The place of ,Cookie It can store <key,value> This key value pair , You can also store the corresponding expiration date , And the corresponding access domain address , When the user accesses the domain name , Just get the corresponding cookie;
• When the user accesses the establishment request with the user name and password for the first time , The server can put the user name and password in cookie among , When the browser is next used , You can log in directly , But this is no different from streaking , It's very unsafe ;

Session

• The server memory stores the client status information , After client access , Create a unique identifier session_id And other corresponding information , Stored locally , And put this session_id Put it in the returned cookie among , Return to browser ; The next time the browser accesses the service , Just take it session_id As identification , Server and storage session_id compare ; When... In the server session_id The expiration date is up , The corresponding expired , If the user exits , In the browser cookie Delete accordingly

JWT

• JWT（Json web token） It's made up of three parts ：

  • Header : describe JWT Metadata . Defines the algorithm to generate the signature and Token The type of .
  • Payload（ load ）: It is used to store the data that needs to be transferred
  • Signature（ Signature ）： Server pass Payload、Header And a key (secret) Use Header The signature algorithm specified in （ The default is HMAC SHA256） Generate .

• After the user logs in , Server generation JWT, Put some insensitive information on JWT Of Payload among , Send it back to the user ;

• The user will get JWT As your own identity information , Direct login ; But such JWT User controlled , Before it fails , The server has no control permission ;

Token

• A string that does not carry specific information , Store user information in Redis or Mysql Wait in memory ,Token As its key
• The user login , take Token Return to the user , After each login, first pass token Read user information , Then check it ;

Refresh Token

• Token Have time limit ,Refresh Token The actual effect is slightly longer ,Token After the failure , use Refresh Token Refresh Token, keep Token The continuity of

Three questions ：

• Cookie Store as a client 、session Store as a server , take Session_id As the association between client and server , Client pass Session_id Verify your login status ;Cookie（ user name + Encrypted password ） And JWT So like ;Cookie/session And token So like , What is the main difference between them ？

• Session Stored in a single server , When users are online at the same time, the amount is ,Session It takes up more memory ; And when the website adopts cluster deployment , Multiple servers need to share user login status . That will Session Put it in mysql Don't you just store it in ？

• Cookie There will be cross domain problems ,token There is no cross domain problem , Then why not Cookie As a token The use of ？