摘要:學(xué)開發(fā)半年多���,之前一直有個(gè)疑問為什么要用���,好好的用不好嗎其實(shí)就是新技術(shù)與老技術(shù),但是還是想弄懂這個(gè)問題之前一直疑惑��,今天搞懂了���,整合了一下學(xué)習(xí)過程��,先對(duì)比一下與一簡(jiǎn)述的生成方式與的生成方式的生成方式瀏覽器第一次訪問服務(wù)器時(shí)���,服務(wù)器創(chuàng)建一個(gè),
學(xué)開發(fā)半年多��,之前一直有個(gè)疑問:
為什么要用token����,好好的用sessionID不好嗎
(其實(shí)就是新技術(shù)與老技術(shù),但是還是想弄懂)
這個(gè)問題之前一直疑惑�����,今天搞懂了,整合了一下學(xué)習(xí)過程���,先對(duì)比一下sessionID與token
一�����、簡(jiǎn)述sessionID的生成方式與token的生成方式
1.sessionID的生成方式
瀏覽器第一次訪問服務(wù)器時(shí)���,服務(wù)器創(chuàng)建一個(gè)session���,同時(shí)生成一個(gè)唯一的會(huì)話key���,即sessionID。接著sessionID及session分別作為key和value保存到緩存中���,也可以保存到數(shù)據(jù)庫(kù)中�����,然后服務(wù)器把sessionID以cookie的形式發(fā)送給瀏覽器�,瀏覽器下次訪問服務(wù)器時(shí)直接攜帶上cookie中的sessionID����,服務(wù)器再根據(jù)sessionID找到對(duì)應(yīng)的session進(jìn)行匹配
這里我們注意到兩點(diǎn):1.sessionID會(huì)自動(dòng)由瀏覽器帶上 2.session是需要存儲(chǔ)空間的
2.token的生成方式
瀏覽器第一次訪問服務(wù)器時(shí)�,服務(wù)器根據(jù)傳過來的唯一標(biāo)識(shí)userId�����,通過一些算法�,加一個(gè)密鑰,生成一個(gè)token���,接著通過base64編碼將token返回給客戶端����?���?蛻舳藢oken保存起來,下次請(qǐng)求時(shí)需要帶著token�����,服務(wù)器收到請(qǐng)求后���,用相同的算法和密鑰去驗(yàn)證token
這里我們注意到兩點(diǎn):1.token需要代碼才能帶上 2.token可以不需要存儲(chǔ)空間(JWT)(當(dāng)然也有存入緩存的處理��,特別是要進(jìn)行revoke操作時(shí))�,通過算法和密鑰驗(yàn)證
3.區(qū)別
以上我們提出來的注意點(diǎn)就可以看出兩點(diǎn)區(qū)別了:1.瀏覽器方面,是否直接帶上 2.服務(wù)器方面����,是否需要存儲(chǔ)空間。
二.回答之前的疑問
1.安卓�,ios,微信小程序��,微信內(nèi)置瀏覽器上
安卓與ios用原生接口發(fā)請(qǐng)求時(shí)�,每一次創(chuàng)建一個(gè)會(huì)話(C/S模式)
https://blog.csdn.net/qq_4219...
https://www.cnblogs.com/liuji...
微信小程序通過微信官方提供的登錄能力獲取微信提供的用戶身份標(biāo)識(shí),快速建立小程序內(nèi)的用戶體系
https://developers.weixin.qq....
微信內(nèi)置瀏覽器會(huì)對(duì)所有請(qǐng)求做代理�����,導(dǎo)致出去的ip不固定
https://blog.csdn.net/wangjun...
2.安全問題上��,防止CSRF攻擊
(原來瀏覽器加載image標(biāo)簽中的地址也會(huì)發(fā)送sessionID的)
這里對(duì)技術(shù)機(jī)制沒有透徹的了解�,不敢隨意翻譯而誤導(dǎo)����,大家看一下以下的段落吧
摘自https://guides.rubyonrails.or...
Cross-Site Request Forgery (CSRF)
This attack method works by including malicious code or a link in a page that accesses a web application that the user is believed to have authenticated. If the session for that web application has not timed out, an attacker may execute unauthorized commands.
In the session chapter you have learned that most Rails applications use cookie-based sessions. Either they store the session ID in the cookie and have a server-side session hash, or the entire session hash is on the client-side. In either case the browser will automatically send along the cookie on every request to a domain, if it can find a cookie for that domain. The controversial point is that if the request comes from a site of a different domain, it will also send the cookie. Let"s start with an example:
Bob browses a message board and views a post from a hacker where there is a crafted HTML image element. The element references a command in Bob"s project management application, rather than an image file: 
By viewing the post, the browser finds an image tag. It tries to load the suspected image from www.webapp.com. As explained before, it will also send along the cookie with the valid session ID.
The web application at www.webapp.com verifies the user information in the corresponding session hash and destroys the project with the ID 1. It then returns a result page which is an unexpected result for the browser, so it will not display the image.
Bob doesn"t notice the attack - but a few days later he finds out that project number one is gone.
It is important to notice that the actual crafted image or link doesn"t necessarily have to be situated in the web application"s domain, it can be anywhere - in a forum, blog post or email.
CSRF appears very rarely in CVE (Common Vulnerabilities and Exposures) - less than 0.1% in 2006 - but it really is a "sleeping giant" [Grossman]. This is in stark contrast to the results in many security contract works - CSRF is an important security issue.
三.總結(jié)
廣義上來說一切維護(hù)用戶狀態(tài)的技術(shù)都是session,然后sessionid與token就是老技術(shù)與技術(shù)
可是就是想知道為什么
以上內(nèi)容如有不對(duì)請(qǐng)指出
參考資料:
Session,Token相關(guān)區(qū)別:https://www.cnblogs.com/xiaoz...
基于 Token 的身份驗(yàn)證:JSON Web Token(附:Node.js 項(xiàng)目):https://ninghao.net/blog/2834
基于 session 和基于 token 的用戶認(rèn)證方式到底該如何選擇����?:https://www.v2ex.com/t/276207
我想知道token和sessionid的區(qū)別是什么:https://www.v2ex.com/t/80003
為什么 APP 要用 token 而不用 session 認(rèn)證����?:https://www.v2ex.com/t/148426
移動(dòng)端開發(fā)為什么不采用session而是用token:https://www.zhihu.com/questio...
文章版權(quán)歸作者所有����,未經(jīng)允許請(qǐng)勿轉(zhuǎn)載,若此文章存在違規(guī)行為,您可以聯(lián)系管理員刪除�����。
轉(zhuǎn)載請(qǐng)注明本文地址:http://systransis.cn/yun/62013.html
