Token Identity Certification _ Security

Source: Internet
Author: User
Tags base64 decrypt server memory
What's token?

The user's data security is important, and HTTP is a stateless protocol and does not differentiate visitors. This needs to do user authentication, user input account and password, the user needs to record the login information, to prevent access to the next page needs to be verified. The traditional processing method is that, with the help of the session mechanism, when the user logs in, the server generates a record that marks the user and then sends it to the client, where the client stores the tag in the cookie, and when the client initiates the next request, Comes with this tag in the cookie, and then the server verifies that the tag has been logged, and if so, verifies that it fails. This approach is based on the server, the session is stored in the server memory or write to the database, the server needs to periodically clean up the expired session, and when the user is large, the demand for memory will increase, the pressure on the server will increase. Token is also a tool for authenticating user identities, and is a client token. When the client initiates a login request, a string of strings is generated on the server, which is fed back to the client as the token token, and the subsequent user access takes only this token. Based on the token authentication method, the server does not need to store the user's logon record. The exact process of the two verification methods is as follows:

Token of the use of the process can be summarized as follows: User login, fill in the user name and password, and sent to the server backend authentication user login information validation through, signature generation of a token, return to the client to store this token, the next access to the service side, will be attached to this token The next time the server receives the data, the token is validated and the data is returned


Advantages of Token

Token as the user authentication processing way, there are several advantages: no state, scalable: will not store the user's login status on the server, can easily realize the increase or decrease of servers to support mobile devices, support for multiple types of clients good support across programs, calls between the various interfaces more convenient security and reliable


Generation of Token

A lightweight Token specification is JWT (Json Web Token), and of course you can customize the way Token is generated, as long as it's normal to decrypt and the Token string contains enough information. Here is a brief introduction to the generation of JWT. A JWT is actually a string, it contains three parts, namely: Head header Load Payload signature signature

They are spliced in A.B.C format, where C is generated by A and B, and the format between them is Base64 (header). BASE64 (payload). H256 (A.B). Note that headers and payload are the strings after the object is serialized.
The header is used to describe the basic information of the JWT and the algorithm used by the signature, which can be represented as a JSON object as follows:

    {
      "Typ": "JWT",
      "ALG": "HS256"
    }

After serializing the object, the BASE64 code is encoded, and a string A is obtained: Eyj0exaioijkv1qilcjhbgcioijiuzi1nij9
For the load payload, there is a fixed format, as follows:

{
    "sub": "1",
    "ISS": "Http://localhost:8000/auth/login",
    "IAT": 1451888119,
    "exp": 1454516119,
    "NBF": 1451888119,
    "JTI": "37c107e4609ddbcc9c096ea5ee76c667"
}

Where the meaning of each field is as follows: Sub: For the user to be targeted, typically the user uid ISS: the issuer IAT for the current JWT: Time to issue token issue at Exp: Current token state-owned enterprise time expire times Nbf:token cannot be received before this time, and is normally consistent with the issuing time JTI: Unique identification of the current token

After the payload object is serialized, the BASE64 is encoded, and the string B is given: eyjzdwiioiixiiwiaxnzijoiahr0cdpcl1wvbg9jywx
Ob3n0ojgwmdfcl2f1dghcl2xvz2luiiwiawf0ijoxnduxodg4mte5lcjlehaioje0ntq1mtyxmtksim5izii6mtq1mtg4od
Exoswianrpijoimzdjmta3ztq2mdlkzgjjyzljmdk2zwe1zwu3nmm2njcifq

Finally, the signature signature, the two strings above are spliced together with the '. ' Symbol, and then the string C can be obtained by encrypting it in the same way as the cipher declared in the header (here is HS256).

After stitching a, B and C three strings, we get a complete JWT.


The use of token

After the token is generated, the client will bring the string on each visit. At the back end of the token, the authentication method is to decrypt the token string in the existing way, and then determine the information stored in the token, including the user uid, expiration time, etc., whether it meets the conditions.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.