How to store tokens is more appropriate?

To maintain multi-step process consistency, I need to use token (such as password retrieval): Step 1. The user submits the user name and verification code for password retrieval. I generate token1, the returned page contains the token1 Step 2. the user submits the SMS verification code and token1 he received. I will refer to token1... to maintain multi-step process consistency, I need to use the token (for example, retrieve the password ):

Step 1: The user submits the user name and verification code for password retrieval. I generate token1 and the return page contains the token1

Step 2: The user submits the text message verification code and token1 he received. Based on token1, I identify the user, whether the text message verification code is correct, whether the token expires, and whether the token is used correctly, if both are valid, I generate a token2, and the returned page contains the token2

Step 3: The user submits his new password and token2. I use token2 to find the user and reset the password of the user.

The token here is time-sensitive. in mysql, I run the cron job every day to delete the expired token. This is not good. How should I store the token? Or is there a better way?

Reply content:

To maintain multi-step process consistency, I need to use the token (for example, retrieve the password ):

Step 1: The user submits the user name and verification code for password retrieval. I generate token1 and the return page contains the token1

Step 2: The user submits the text message verification code and token1 he received. Based on token1, I identify the user, whether the text message verification code is correct, whether the token expires, and whether the token is used correctly, if both are valid, I generate a token2, and the returned page contains the token2

Step 3: The user submits his new password and token2. I use token2 to find the user and reset the password of the user.

The token here is time-sensitive. in mysql, I run the cron job every day to delete the expired token. This is not good. How should I store the token? Or is there a better way?

Token can use md5 (username + userid + timestamp) _ timestamp. This format of token will basically not be repeated, and the timestample at the end can also be used for expiration detection.
Generally, a token is enough for a user. When you generate a second token, the first one is invalid, so you can directly update it, in this way, each user does not need to consider deleting a token at most. Of course, when the token is verified to be valid, the token set in the database should be null to prevent the same token from being reverified.

Token does not need to be stored. You can use the reverse encryption/decryption algorithm of AES to encrypt data, such as aes. ecode (userId + time + info + key (key), generate token, and send this string back to the client. You do not need to save it, you only need aes when he returns it to you next time. after decode (token) is decrypted, you can obtain the user information here and compare it with the user information currently logged in.

Or you don't need to store the token, so the validity information is stored in the token. You can see this json web token.

The token does not need to be stored in mysql. Just save the memory.
Deletes expired tokens during one thread rotation.
Of course, you will say that it is down, and the memory data is gone, but the password retrieval operations are not often, this data is not too much, and the timeliness is generally not too long. If it is really down, the user cannot access the service even if it goes down. Therefore, it is not necessary to discard the token, so that the user can submit the retrieval operation again.

It can be stored in memcahe or redis, And the cache setting time expires.

I usually store sessions directly.

Token I used the md5 user name and the existing password to generate ....
Then record the time

Save redis and set the expiration time is the most convenient

The token is similar to the session used in a single web project. It can be saved to view access logs without being saved. However, it is best to record the operation logs of each module and function, for later operation and maintenance.