Example of token verification

<div class= "MainContent" >
&LT;H1 class= "Page-header" > Token based Authentication <div id= "node-2834" class= "node Node-blog view-mode-full clearfix" about= "/blog/2834" typeof= "Sioc:item Foaf:D Ocument "> <span property=" dc:title "content=" Token "class= Rdf-meta" Element-hidden T;span property= "Sioc:num_replies" content= "7" datatype= "Xsd:integer" class= "Rdf-meta Element-hidden" ></span > <div class= "node-content" >
<div class= "Content" >
<p> recently learned about authentication based on Token and share it with everyone. Many large websites are also used, such as &nbsp; Facebook,twitter,google+,github and so on, compared to the traditional authentication method, the Token is more scalable and more secure, and is ideal for use in WEB applications or mobile applications. Token in Chinese translated into "token", I think it is very good, meaning, you take this token, you can go through a number of checkpoints. </p>
<p>http is a stateless protocol, which is that it does not know who is accessing the application. Here we regard the user as the client, the client uses the username and the password to authenticate, but the next time the client sends the request, it has to be verified again. </p>
The solution to <p> is that when the user requests to log in, if there is no problem, we generate a record in the server, this record can explain the user who is logged in, and then the ID number of this record sent to the client, the client received the ID number stored in the Cookie, The next time the user sends a request to the server, you can take this cookie so that the server verifies the information in the cookie to see if it can find the corresponding record in the server, and if so, that the user has passed the authentication and returns the user's requested data to the client. </p>
<p> this is the session, we need to store in the server to log on the user generated sessions, which may be stored in memory, disk, or database. We may need to periodically clean up expired sessions on the service side. </p>
<p> using an Token authentication method, there is no need to store user logon records on the server side. The approximate process is this:</p>
<ol><li> Client login using username and password </li>
<li> server receives a request to verify the username and password </li>
Once the <li> is successful, the server will issue a Token and send this Token to the client </li>
<li> clients can store Token after they receive it, such as in cookies or local Storage </li>
<li> clients need to take the service-side token</li> each time they request resources from the server
The <li> server receives the request, then verifies the Token in the client request, and if the validation succeeds, returns the requested data to the client </li>
</ol><p> There are a lot of ways to implement Token validation, and there are some standard methods, such as JWT, read: Jot, which means: JSON Web tokens. The JWT standard Token has three parts:</p>
<ul><li>header</li>
<li>payload</li>
<li>signature</li>
The </ul><p> Center is separated by dots and uses Base64 encoding, so the real Token looks like this:</p>
<pre class= "Hljs css" ><span class= "Hljs-selector-tag" >eyjhbgcioijiuzi1niisinr5cci6ikpxvcj9</span ><span class= "Hljs-selector-class". Eyjpc3mioijuaw5nagfvlm5ldcisimv4cci6ije0mzg5ntu0nduilcjuyw1lijoid2fuz2hhbyisimfkbwluijp0cnvlfq</span> <span class= "Hljs-selector-class". Swyhtex_rqppr97g4j5lkxtabjecpejuef8aqkymajc</span></pre><p>header part is mainly two parts, one is the type of Token, the other is the use of algorithms, such as the following type is JWT, the algorithm used is HS256. </p>
<pre class= "Hljs json" >{
<span class= "hljs-attr" > "Typ" &LT;/SPAN&GT;: <span class= "hljs-string" > "JWT" &LT;/SPAN&GT;
<span class= "hljs-attr" > "ALG" &LT;/SPAN&GT;: <span class= "hljs-string" > "HS256" </span>
}</pre><p> the contents of the above to be encoded in Base64 form, so it becomes so:</p>
<pre class= "Hljs" >eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9</pre><p>payload inside is the specific content of the Token, some of which are standard fields, you can also add other needs of content. The following are standard fields:</p>
<ul><li>iss:issuer, publisher </li>
<li>sub:subject, Theme </li>
<li>aud:audience, Audience </li>
<li>exp:expiration time, expiration </li>
<li>nbf:not before</li>
<li>iat:issued at, release time </li>
&LT;LI&GT;JTI:JWT id</li>
</ul><p> For example, the following Payload is used for the ISS Publisher and exp expiration time. There are also two custom fields, one is name, and the other is admin. </p>
<pre class= "Hljs json" >{
<span class= "hljs-attr" > "ISS" </span&gt: <span class= "hljs-string" > "ninghao.net" &LT;/SPAN&GT;
<span class= "hljs-attr" > "exp" &LT;/SPAN&GT;: <span class= "hljs-string" > "1438955445" &LT;/SPAN&GT;
<span class= "hljs-attr" > "name" &LT;/SPAN&GT;: <span class= "hljs-string" > "Wanghao" &LT;/SPAN&GT;
<span class= "hljs-attr" > "admin" </span>: <span class= "Hljs-literal" >true</span>
}</pre><p> used BASE64 encoding to become this way:</p>
<pre class= "Hljs" > eyjpc3mioijuaw5nagfvlm5ldcisimv4cci6ije0mzg5ntu0nduilcjuyw1lijoid2fuz2hhbyisimfkbwluijp0cnvlfq</pre>< H3>signature&LT;P&GT;JWT the last part of the Signature, this part of the content has three parts, first with the BASE64 encoded header.payload, and then encrypted with the encryption algorithm, encryption to put in a Secret, which is equivalent to a password, This password is stored secretly on the service side. </p>
<ul><li>header</li>
<li>payload</li>
<li>secret</li>
</ul><pre class= "Hljs JavaScript" ><span class= "Hljs-keyword" >var</span> encodedstring = Base64urlencode (header) + <span class= "hljs-string" > "." </span> + base64urlencode (payload);
HMACSHA256 (encodedstring, <span class= "hljs-string" > ' secret ' </span>);</pre><p> It looks like this after the processing is done:</p>
<pre class= "Hljs" >SwyHTEx_RQppr97g4J5lKXtabJecpejuef8AqKYMAJc</pre><p> the last one generated at the server and sent to the client Token looks like this:</p>
<pre class= "Hljs css" ><span class= "Hljs-selector-tag" >eyjhbgcioijiuzi1niisinr5cci6ikpxvcj9</span ><span class= "Hljs-selector-class". Eyjpc3mioijuaw5nagfvlm5ldcisimv4cci6ije0mzg5ntu0nduilcjuyw1lijoid2fuz2hhbyisimfkbwluijp0cnvlfq</span> <span class= "Hljs-selector-class". The swyhtex_rqppr97g4j5lkxtabjecpejuef8aqkymajc</span></pre><p> client receives this Token and then stores it. The next time you send a request to the server, take this Token. The server receives this Token and then validates it, and then returns it to the client for the resources it wants. </p>
<ul><li><a href= "http://jwt.io/" >http://jwt.io/</a></li>
<li><a href= "HTTPS://GITHUB.COM/FIREBASE/PHP-JWT" >https://github.com/firebase/php-jwt</a>< /li>
<li><a href= "Https://scotch.io/tutorials/the-anatomy-of-a-json-web-token" >https://scotch.io/ Tutorials/the-anatomy-of-a-json-web-token</a></li>
<li><a href= "Https://github.com/auth0/jwt-decode" >https://github.com/auth0/jwt-decode</a>< /li>
</ul> </div>
</div>
</div>
</div>
<!--/.node-->
</div>