How to maintain app support login status (theory only)

This problem is too common, too simple, so that most developers do not pay attention to this problem, I based on communication with my developers, summed up the common methods are as follows:

One: The default session of the server

The biggest advantage of this way is that the server does not add any code, but the app and the site, usually, we would like the app's landing status can be maintained for several days, or even months, most of the service-side program, will be in the process restart or when the client is inactive, the session is all emptied, Cause State loss

Second, in the client record login user's user name and password

When the client logs on, it is determined that if the server returns a successful authentication, the user name and password (password multiple MD5) will be saved to the local localstorage for the sake of client security, and then each HTTP request, the user name and password are taken to the parameter. Every time the server needs to read the legitimacy of database judgment, it will waste a certain amount of resources, and, because the password is saved locally, it brings a certain security risk.

III: Maintain a persistent state with the help of a database or file system

This approach is to solve the problem that the session does not persist (such as modifying the location of the session to a file or database), and the security issues in scenario two, but this can reduce the performance of the server or waste the server resources, the code logic flow is as follows:

In the database, in addition to the common User,password, add one additional field, such as: SessionID

In the login interface, if the user entered the user name password to determine the correct, generate a random string, save to SessionID, while the client will also save the value, on each request, pass the value, the server through this value query database, to obtain the user's identity information.

Four: Key mode

The above three methods, either cannot persist the state, either is insecure, or each request needs to read the database validation, there is no way to solve the above defects, so, there is this method, the process is as follows:

1: Client input user name and password, submit to server Authentication

2: After the server authentication succeeds, the following values are returned to the client:

UID: User's unique indication

Time: Current UNIX timestamp

KEY:MD5 (uid+time+ "A string key that only you know")

3: The client saves the above 3 values locally, sending the above 3 values to the server each time an HTTP request

4: Server Authentication key, determine if the client sends the key consistent, the user identity is correct

5: Each time the server receives a request, it can control the validity period of the key by the difference between the current time-client

Source: http://ciniao.legu.cc/appcan/article_54.html

How to maintain app support login status (theory only)