当前位置：网站首页>The differences and connections among cookies, sessions, JWT, and tokens

The differences and connections among cookies, sessions, JWT, and tokens

2022-07-05 06:45:00 【Wei Yunshu】

Network communication uses http agreement , There is no correlation between each request

The back-end interface cannot be exposed to the outside , Only authenticated requests can be accessed , Common authentication methods such as ： User name, password 、 SMS verification code , but http It's stateless , Every request requires authentication ;
You don't want to enter your user name and password every time you send a request , You can put the user name and password in the browser , But once the browser is attacked , All passwords will be revealed ;

There is a store in the browser Cookie The place of ,Cookie It can store <key,value> This key value pair , You can also store the corresponding expiration date , And the corresponding access domain address , When the user accesses the domain name , Just get the corresponding cookie;
When the user accesses the establishment request with the user name and password for the first time , The server can put the user name and password in cookie among , When the browser is next used , You can log in directly , But this is no different from streaking , It's very unsafe ;

The server memory stores the client status information , After client access , Create a unique identifier session_id And other corresponding information , Stored locally , And put this session_id Put it in the returned cookie among , Return to browser ; The next time the browser accesses the service , Just take it session_id As identification , Server and storage session_id compare ; When... In the server session_id The expiration date is up , The corresponding expired , If the user exits , In the browser cookie Delete accordingly

JWT（Json web token） It's made up of three parts ：
- Header : describe JWT Metadata . Defines the algorithm to generate the signature and Token The type of .
- Payload（ load ）: It is used to store the data that needs to be transferred
- Signature（ Signature ）： Server pass Payload、Header And a key (secret) Use Header The signature algorithm specified in （ The default is HMAC SHA256） Generate .
After the user logs in , Server generation JWT, Put some insensitive information on JWT Of Payload among , Send it back to the user ;
The user will get JWT As your own identity information , Direct login ; But such JWT User controlled , Before it fails , The server has no control permission ;

A string that does not carry specific information , Store user information in Redis or Mysql Wait in memory ,Token As its key
The user login , take Token Return to the user , After each login, first pass token Read user information , Then check it ;

Token Have time limit ,Refresh Token The actual effect is slightly longer ,Token After the failure , use Refresh Token Refresh Token, keep Token The continuity of

Cookie Store as a client 、session Store as a server , take Session_id As the association between client and server , Client pass Session_id Verify your login status ;Cookie（ user name + Encrypted password ） And JWT So like ;Cookie/session And token So like , What is the main difference between them ？
Session Stored in a single server , When users are online at the same time, the amount is ,Session It takes up more memory ; And when the website adopts cluster deployment , Multiple servers need to share user login status . That will Session Put it in mysql Don't you just store it in ？
Cookie There will be cross domain problems ,token There is no cross domain problem , Then why not Cookie As a token The use of ？

版权声明
本文为[Wei Yunshu]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/186/202207050624253817.html