Different Web application Login scenarios

Recently made a new Web application, required to be able to use other system account login, such as the old system single sign-on, third-party platform login situation, so I re-comb from the simplest server login to complex situations:

1. Single Server

1 Original server Auto-made

When the browser first requests, the server side creates the session and sends the SessionID to the client in the cookie with the ID jssseionid.

When the browser requests the second time, the server obtains the Jsessionid in the client's cookie and finds the session object according to Jsessionid.

2 Login System Scenarios

2.1 Login:, need to filter all requests, determine whether to log in, login can pass, otherwise return to the login page.

2.2 In the filter, each request, get the session (Request.getsession ()), if it is the first request, the session is the new session, Determine if the user information exists in the session (Session.getattrbute ("user") and the user information is stored at login. ）。 If it does not exist, it jumps to the login page.

2.3 The User login page confirms the login request to the server (at which time the user authentication filter does not filter the request), validates the user information, then obtains the user information and stores it in the session (Session.setattbute ("user")), and then the jump page returns to the client. The login is complete at this time.

2.4 When requested again. Also get the session, determine whether the user information in the session exists (Session.getattrbute ("user"), because already logged in, so at this time the user information exists, you can continue to access.

Summarize:

Single Server login, only need to record the user's information in the session, re-request, determine whether the information exists in the session to determine whether to log in. You do not need to write cookies on your own to the client.

2. Cluster Server

The cluster server login is similar to a single login, the difference is that after the client logs on to a machine, subsequent requests may be assigned to other machines, and if no other machine is related, the login information on the other machine will jump to the login page. There are generally two kinds of processing methods: 1, the session synchronization between the cluster machines. 2, different machines each time the request, do not log in to allow it to automatically log in, this situation requires a log on the information logged in the client to indicate the identity of the user.

The first processing in each cluster node is maintained session, will occupy a certain amount of resources, generally the second processing mode, the second way is to record the login information to the client, the login information generally includes the login user, logon time (for the effective time limit), login client IP, The encryption is then processed. When a request is filtered in the server, if the logon information in the session is not present, the login information is encrypted from the cookie. If there is a string to decrypt, security check, through the user information recorded in the session, complete the automatic login function.

Summary: The login information needs to be written into the client cookie, the login information is encrypted and decrypted in each cluster node, encryption can be confused with two values, a system of confusion, and a client does not have a variable value of user information to do confusion.

3. SSO Login

Single Sign-on is similar to cluster login, except that the generation and verification of login information is done on the SSO server,

When the user logs on to request the SSO server, SSO verifies the user information through the production login information, and then SSO writes the login information to the client cookie, when the client requests the application server, the server determines that there is no login information in the session and obtains the user information string in the cookie. and requests the SSO server to verify that the string is correct, and if the user information is correct and returned, the application server places the user information in the session.

Summary: The production and validation of user login information is to be done by the SSO server. Application server calls.

4. Third-party open platform Login

Third-party logins are similar to single sign-on, in fact a third party is equivalent to an SSO server.

Different Web application Login scenarios