I would like to use token instead of the session to determine the user's login status, because it is a small white, first contact token, unclear process.
My question will be (parentheses) up
My idea is this:
After the user clicks the login, uses the AJAX to send the user name and the password to the server, the judgment user information is correct after PHP generates a token (how to generate?) Do I need to get user information to generate it? Do you need encryption? How to encrypt? )。
Then the generated token exists in the database, and then the token is sent back to the user app (with what, JSON security, how to ensure that tokens are not intercepted, or intercepted and do not do bad things), and stored in the app Local.
After login to jump to a new page, the new page will initially be Ajax send the presence of the local user name and token, if the token and the database is not the same will be canceled login status, jump back to the login page. (Does the token need to be updated once, or until the next time the user logs in?) If an update is required, how long is the recommended update interval? )
Each user's action to communicate with the server is token-validated "as a third step." (Do not need to verify each operation, this will not be as usual the burden of server and database, the most important thing is the user app efficiency is not very bad?) )
I hope someone help me this small white, online search a lot of can not find the answer I want ...
Reply content:
Is this, I want to use Html/css/js to do an Android hybrid APP, with the Cordova to packaging.
As for the server, it is PHP.
I would like to use token instead of the session to determine the user's login status, because it is a small white, first contact token, unclear process.
My question will be (parentheses) up
My idea is this:
After the user clicks the login, uses the AJAX to send the user name and the password to the server, the judgment user information is correct after PHP generates a token (how to generate?) Do I need to get user information to generate it? Do you need encryption? How to encrypt? )。
Then the generated token exists in the database, and then the token is sent back to the user app (with what, JSON security, how to ensure that tokens are not intercepted, or intercepted and do not do bad things), and stored in the app Local.
After login to jump to a new page, the new page will initially be Ajax send the presence of the local user name and token, if the token and the database is not the same will be canceled login status, jump back to the login page. (Does the token need to be updated once, or until the next time the user logs in?) If an update is required, how long is the recommended update interval? )
Each user's action to communicate with the server is token-validated "as a third step." (Do not need to verify each operation, this will not be as usual the burden of server and database, the most important thing is the user app efficiency is not very bad?) )
I hope someone help me this small white, online search a lot of can not find the answer I want ...
1, user login generates a unique value token is deposited into the Redis database (token generation: can be used Random_int (), random_bytes (), or openssl_random_pseudo_bytes () The function generates a random number plus the user's IP. If you want to be more secure, there are some transformations you can make, and you can look at the books on cryptography. );
2, all network requests must use HTTPS, otherwise token can be easily stolen. (The Web program does not protect tokens, because the Web page algorithm will be written in JS, JS files can be browsed, so others browse JS files know your algorithm, even if JS is confused is still not safe, Android and iOS programs if the algorithm will be solved by others know, So the best solution is to use HTTPS);
3,token must set expiration time, this time is arbitrary, and there is no special limit, can let product personnel set. If no one is set, it can be used for 15 minutes;
4, if a user is required to log in to access the content each request must be with token, and token verification. (This is why you use Redis instead of MySQL to store tokens, increasing the speed of requests); The default PHP file storage session, each time to read files, in fact, there will be performance loss, not necessarily better than reading database performance. So you don't have to worry about the performance issues caused by reading the database.
5, if it is a Web page program, general login can store tokens in the cookie, and set http-only (indicating that the cookie value can not be read by JS)
Your process is looking at me, not very clear. Give you a thought, the role of token is that it is a string can not be tampered with, after tampering is invalid, the front end of any data can be illegally tampered with. 1: After the user login PHP read the user's token and output to the page, token generally has a user identity token and user identity token, of course, with a can also see your back-end token test algorithm. 2: When the front-end and back-end data interact, the data and tokens are passed into the backend, token plays the role of user identity and identity. The frontend should not pass in the user name and password to the backend. Token if tampered with, the test fails. 3:token generation and user information does not need to have any association, token by the meaning of the number of benevolence strings, stored in the database, token life cycle to see your needs, generally generate a permanent use, the user table in the database to increase the token field to store tokens, or create a table that associates user_id with tokens.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
