To implement the so-called stateless authentication, if you use Cookie authentication, you don't need to use session. Isn't it necessary to re-authenticate the database every time? My specific implementation is to define a key & quot; random & quot; user_profile table to assign a random user when the token user is registered... to implement the so-called stateless authentication, if you use Cookie authentication, you don't need to use session. Isn't it necessary to re-authenticate the database every time?
My specific implementation is
Define a key = "random ";
When a token user is registered, a random value is assigned to the user_profile table.
When a user logs on,
String userToken = md5 (User ID + token + key );
Response. addCookie ("user_id", user ID );
Response. addCookie ("user_token", userToken );
Then define a login interceptor
String userId = request. getCookie ("user_id ");
String userToken = request. getCookie ("user_token ");
String token = db. getUserTokenById (userId); // You Need to query the database every time.
String userToken2 = md5 (User ID + token + key );
If (userToken. equals (userToken2 ){
// Login successful
} Else {
}
Although this method is simple, it can effectively prevent cookie forgery.
However, you need to query the database every time. Is there any better implementation method?
Reply content:
To implement the so-called stateless authentication, if you use Cookie authentication, you don't need to use session. Isn't it necessary to re-authenticate the database every time?
My specific implementation is
Define a key = "random ";
When a token user is registered, a random value is assigned to the user_profile table.
When a user logs on,
String userToken = md5 (User ID + token + key );
Response. addCookie ("user_id", user ID );
Response. addCookie ("user_token", userToken );
Then define a login interceptor
String userId = request. getCookie ("user_id ");
String userToken = request. getCookie ("user_token ");
String token = db. getUserTokenById (userId); // You Need to query the database every time.
String userToken2 = md5 (User ID + token + key );
If (userToken. equals (userToken2 ){
// Login successful
} Else {
}
Although this method is simple, it can effectively prevent cookie forgery.
However, you need to query the database every time. Is there any better implementation method?
Since the query is necessary for the entire transaction, you should consider improving the query efficiency, according to the actual needs such as memcache, redis is a key-Value Pair type of data storage, which can meet the data storage requirements and alleviate performance problems.
You do not need to query the database every time. The token is put into the memory for cache. You only need to check the cache next time. Check whether the token is valid and whether it expires.
Token :{
Uid: xxx
Expired: xxx
}
I don't know where your things are better than session. In fact, you can use your data for AES encryption, and then perform anti-Resolution on the server side.
For example:
Token = aesHash (uid + '|' + mKey + '+ 'time)
Response. cookie (token, token );
Verification
Uid, mKey, time = deAes (token)
You can also have ip addresses, ua, and operating systems. As long as you like .. You can verify the user's identity based on your own situation.
Database query is indispensable. There will always be a bunch of verifications, such as the user status, user identity, and user permissions.
However, you can do this at the redis level, with both performance and durability.
Do not store in the database. Use memcache or redis to solve both distributed problems and high performance.
NoSQL can be considered