1. Background
After a successful landing request on the web side, the cookie will save the SessionID of this reply, and then click on another page, the SessionID will be passed to the background, the corresponding session in the background read the corresponding logical behavior In other words: The session is essentially cookie-based. However, the free mobile phone gateway, does not support the transfer of cookies, so on the phone side of the authorization verification, and can not simply in the background with request.getsession () to get the phone application unified session. To solve this problem, it is possible to generate a token (similar to SessionID) for each time the mobile app logs on, and the phone app will send the token when it sends the request again.
2. Specific ideas
When the mobile phone and the web side use the same background, in the filter, you can first determine if there is token incoming, if there is a cell phone request, through the token to make a logical judgment. If no token is passed in, the normal session is judged.
3. Development steps
Specific description for mobile Access
3.1token table Design
Token information is stored separately in the database table and corresponds to Humanid one by one.
The use of 3.2token. 3.2.1 Landing Server
Mobile phone personnel when logging into the system, you need to pass the user name and password to verify. After the verification is passed, the old token information of the person in the token table is deleted, and a token record of the person is added to the token table and returned to the client.
3.2.2 Background Access
When sending a request to the server, each request must be followed by a token message as an incoming parameter. The background will filter the token information in the filter first. If the incoming token does not exist in the token table, return directly to the client and prompt for token has expired, please log in again. If token verification passes, the background interface is normally accessed.
3.2.3 Multi-terminal access
Mobile phone multi-terminal access rules and similar, that is, after another terminal login, the current terminal automatically log out, to ensure that only one terminal at a time is connected, each login will refresh token.
3.2.4 Log Out
When the terminal staff actively log out, the token information of the person is removed from the token table.
4. Note
For security purposes, the token cannot use plaintext and can use methods such as symmetric encryption.
A way of conversation control when using the same background for mobile and web-side