Token, the most important feature of tokens, is randomness, unpredictable. General hackers or software can not guess out.
So, what does token do? What is the principle of it?
Tokens are typically used in two places- preventing forms from repeating commits, anti CSRF attacks (cross-site request forgery).
Both are based on the principle of the session token to achieve. When the client requests the page, the server generates a random number token, puts the token into the session, and then sends the token to the client (typically by constructing the hidden form). The next time the client submits the request, token is submitted to the server side as a single table.
Then, if applied to the "anti csrf attack", the server side validates the token value and determines if it is equal to the token value in the session, and if it is equal, it can prove that the request is valid, not forged.
However, if you apply to prevent form recurrence , the server side will update the token value in the session after the first validation, and if the user repeats the commit, the second validation judgment will fail because the token in the user's submitted form is unchanged. But token has changed in the server-side session.
The above session application is relatively safe, but also called cumbersome, and when multi-page multi-request, must use multi-token simultaneous generation method, so that the use of more resources, execution efficiency will be reduced. Therefore, cookies can also be used to store authentication information in place of Session tokens. For example, when a "duplicate commit" is submitted, the information that has been submitted is written to the cookie after the first commit, and when the second commit, the second commit fails because the cookie already has a record of its submission.
However, Cookie storage has a fatal weakness, and if a cookie is hijacked (an XSS attack can easily get a user cookie), then again Gameover. Hackers will directly implement CSRF attacks.
So, safe and efficient relative. Specific questions to deal with it.
Reference Source: http://blog.csdn.net/sum_rain/article/details/37085771
On the token of web security