Token verification details
Published: 2019-05-27
why use Token authentication:
Token-based authentication can be seen everywhere in the Web domain.In most Internet companies that use Web API, tokens are the best way to handle authentication under multi-users.
The following features will allow you to use token-based authentication in your program
1. Stateless and scalable
2. Support mobile devices
3. Cross-program calling
4. Safety


Token bosses who use token-based authentication

Most API and Web applications you have seen use tokens.For example, Facebook, Twitter, Google+,GitHub, etc.


Token Origin

Before introducing the principle and advantages of token-based authentication, we might as well look at how the previous authentication was done.

Server-based authentication

We all know that the HTTP protocol is stateless, which means that the program needs to verify each request to identify the client.

Prior to this, programs identified requests through login information stored on the server.This method is generally accomplished by storing a Session.

With the rise of the Web, applications and mobile terminals, this method of verification has gradually exposed problems.Especially in terms of scalability.


Some Problems Exposed by Server-Based Authentication

1. See: Every time the authentication user initiates a request, the server needs to create a record to store the information.As more and more users make requests, the memory overhead will also increase.

2. Scalability: Use Seesion to store login information in the memory of the server, which is accompanied by scalability issues.

3.CORS (Cross Origin Resource Sharing): When we need to use data across multiple mobile devices, sharing cross-domain resources can be a headache.When you use Ajax to grab resources from another domain, you can prevent requests.

4.CSRF (Cross-site request forgery): When users visit bank websites, they are easily attacked by Cross-site request forgery and can be used to visit other websites.

Extensible rows are the most prominent among these problems.Therefore, it is necessary for us to find a more effective method.


Verification Principle Based on Token
Token-based authentication is stateless. We do not store user information in the server or Session.
This concept solves many problems when the server stores information.
NoSession means that your program can add or subtract machines as needed without worrying about whether the user is logged in.
Token process of token-based authentication is as follows:
1. Users send requests through user names and passwords.
2. Program verification.
3. The program returns a signed token to the client.
4. The client stores the token and uses it every time to send a request.
5. The server verifies token and returns data.
Each request requires a token.Token should be sent in the header of Http to ensure that HTTP requests are stateless.We also enable the server to accept requests from all domains by setting the server property Access-Control-Allow-Origin:*.It is important to note that when the ACAO header is marked (designing) *, certificates such as HTTP authentication, client SSL certificate and cookies are not allowed.

Code Instance Process:

//User Login for the First Time
username pwd client_type
//interface judgment
Query token table
$token=where uid =uid
Login succeeded!!
Returns token and uid
Login failed!!
if(usename powd client_type){
Verify user name and password
If (correct) {
Get uid and generate token(md5( uid.pwd.time () self-defined rule))
If (uid does not exist) {
Intotoken table id uidtoken
Where uid = $ uid modify token
Returns token and uid
Returns an error message;
Client C stores uid and token files
Use uid and token the next time you log in again

Enables users to log in and kick each other

After we have authenticated the information in the program and obtained the Token, we can do many things through this token.

We can even send a permission-based token to third-party applications based on the creation of the token. These third-party applications can obtain our data (of course only in the specific token that we allow)


Tokens' advantages

Stateless, Scalable

Tokens stored at the client are stateless and can be extended.Based on this stateless and non-storage Session information, the load balancer can transfer user information from one service to other servers.

If we save the information of the authenticated user in the Session, each request requires the user to send authentication information (called Session affinity) to the authenticated server.When the number of users is large, it may cause

Some congestion.

but don't worry.After using tokens, these problems are solved, because tokens hold the user's authentication information.


Sending token instead of cookie in request can prevent CSRF (Cross-site request forgery).Even if the client uses cookies to store token, cookies are only a storage mechanism and not used for authentication.Don't store information in the Session, so we have less operation on the session.

token is time-limited, users need to re-verify after a period of time.We don't have to wait until the token automatically expires. The token has a withdrawal operation. A specific token or a group of tokens with the same authentication can be invalidated through token revocataion.

Scalability ()

Tokens can create programs that share permissions with other programs.For example, you can associate a casual social account with your own large size (Fackbook or Twitter).When logging into Twitter via service (we will Buffer this process), we can attach these Buffers to Twitter's data stream (we are allowing buffer to post to our Twitter stream).

When using tokens, you can provide optional permissions to third-party applications.When a user wants another application to access their data, we can establish our own API to obtain tokens with special permissions.

Multi-platform Cross-domain

Let's talk about CORS (Cross Origin Resource Sharing) in advance. When expanding applications and services, we need to intervene in various devices and applications.

Having our API just serve data, we can also make the design choice to serve assets from a CDN. This eliminates the issues that CORS brings up after we set a quick header configuration for our application.

As long as the user has an authenticated token, data and resources can be requested on any domain.

<span style="margin:0px; padding:0px; color:rgb(255,255,255); background-color:rgb(0,0,0)"><code class=" language-javascript" style="margin:0px; padding:0px">          Access<span class="token operator" style="margin:0px; padding:0px">-Control<span class="token operator" style="margin:0px; padding:0px">-Allow<span class="token operator" style="margin:0px; padding:0px">-Origin<span class="token punctuation" style="margin:0px; padding:0px">: <span class="token operator" style="margin:0px; padding:0px">*       <br style="margin:0px; padding:0px" /></span></span></span></span></span></code></span>


When creating token, you can set some options.We will describe it in more detail in subsequent articles, but the standard usage will be reflected in JSON Web Tokens.

recent programs and documents are supplied to JSON Web Tokens.It supports many languages.This means that you can really change your authentication mechanism in future use.


This article only introduces why token-based authentication is chosen and how to use it.