http://blog.csdn.net/tenfyguo/article/details/8225279
The common token-based implementation schemehttp://blog.csdn.net/tenfyguo/article/details/8225279
Tokens are often used in a variety of applications, as in the following scenarios:
1, after the user enters the password and the account, the system verifies, generates a session, assigns a sessionid to the consumer, the successor service user does not need each time to enter the password and the authentication password, only then the corresponding account and the SessionID carries on can, The backend requires only efficient SessionID validation. It solves the multiple calls of the critical interface or the sensitive interface, and can manage the validity of the SessionID.
2, user authorization in use, the user entered the payment password, on behalf of the user has been authorized, this time the system automatically generated a longer token string back to the service user, the subsequent deduction, then to verify the validity of the token string, note that the string needs to ensure a certain length, one-time effective , and a shorter period of validity and other characteristics.
3, in the open platform, external external site licensing services, the user authorized, the same can be issued to external sites a token, follow-up service, with the token can be, to avoid the need to authorize each time.
4, the extension of the application, in an isolated serial service call, the user completes the first step requires a series of interface calls, and then to determine whether the user has permissions or eligibility to participate in a service, then the user calls the second step, and the second step for security, still need to perform the first step of a series of interface calls, In this way, a token can be issued in the first pass of the qualified user system, the token is a one-time valid, implemented, can be generated on the first record, with the user account and token together as key, the second time to update the record to judge. The benefit is the risk of preventing the two-step invocation from being isolated.
For example, our system after the random draw to the user a hint, tell him that he has won, this time users need to collect to get the prize, you can issue a token for the first time, the award when the token band to verify.
API Service-side interface security
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
