The reason why Cookie appear: HTTP protocol is stateless. Every time a request is made, a new link will be established and the link will be broken at the end of the request. The advantage is that you can save link resources, but the disadvantage is that you can't save user status. Cookie seem to solve this problem.
Cookies are stored in the browser and can be set through the response fields of Js and set-Cookie.
Limitations of cookie:
With cookie, the server can get information from the client, and if it needs to verify the information, it needs a session.
After receiving the client's request, the server will open up a memory space in the server to store the session.
After logging in for the first time, this cookie will be carried with you on the next visit, and the server can verify whether the user is logged in according to the sessionId (judge whether this sessionId is consistent with the sessionId saved by the server, whether there is a record of this sessionId or whether the record is valid).
When the client browser accesses the server, the server records the client information on the server in some form. This is a meeting. When the client browser accesses again, it only needs to find the state of the client from the session.
Token is a string generated by the server as a token requested by the client. After the first login, the server will generate a token and return it to the client. When the client accesses in the future, it only needs to bring this token for identity authentication.
disadvantaged
JWT(Json Web token)
The server does not need to store the token, so how can the server verify whether the token passed by the client is valid?
Answer:
Token is not a chaotic string, but a string spliced by various algorithms.
The header section specifies the signature algorithm used by this token.
The payload section shows JWT's intention.
The signature part is JWT's signature, mainly to prevent JWT from being tampered with at will.
The signature part has two steps.
One:
Two:
The final token is calculated as follows:
Single sign-on means that the company will set up a public certification center where all products of the company can be certified. After a product is certified by a certification center, it is not necessary to be certified again when accessing other products.
At this time, because of the registered Cookie information in a.com, the server-side direct authentication succeeded.
At this time, because the authentication center has cookie that have been logged in before, you don't need to enter the account password, and you can start directly from step 4.
At present, single sign-on has been completed, and under the management of the same certification center, multiple products can enjoy login status. Now we need to consider cancellation, that is, cancellation of one product, how to cancel other products?
The principle is not difficult. In fact, if you bring your ticket to the certification center, you can ask the certification center to cancel the api.
When the product c.com exits the platform.
Single sign-on is a centralized authentication system. When you make a request inside the project, send a request to sso, and he will throw you a token into the browser cache and put it in the request header when making the request. Like other authentication interfaces. His advantage is that an account can log in to different systems, because different projects can use this token. And through sso centralized management of some user information, user information can be easily obtained.
Take WeChat as an example.