文章目录
- Node Modules for JWT
- Scalability
- Multiple Device
- 比较session & token
- Working
- Pros/Cons
token&session
references
-
Cookie + Session 适合于简单的后端架构 -
Token 适合大型分布式的后端架构 - SSO 单点登录想要统一内部所有产品的登录方式的情况。
- OAuth 第三方登录
MDN
- HTTP authentication - HTTP | MDN (mozilla.org)
- Using HTTP cookies - HTTP | MDN (mozilla.org)
- Using HTTP cookies&secure - HTTP | MDN (mozilla.org)
wikipedia:计算机中的token
- Token, an object (in software or in hardware) which represents the right to perform some operation:
- Session token, a unique identifier of an interaction session
- Security token orhardware token, authentication token or cryptographic token, a physical device for computer authentication
- Access token, a system object (representing (thesubject(of access control operations)))
- Tokenization (data security), the process of substituting a sensitive data element
- Invitation token, in aninvitation system
- Token Ring, a network technology in which a token circles in a logical ring
- Token, an object used inPetri net theory
- Lexical token, a word or other atomic parse element
geeksforgeeks
- Session vs Token Based Authentication - GeeksforGeeks
- Session vs Token Based Authentication | by Sherry Hsu | Medium
无状态的Http协议
- HTTP is stateless. All the requests are stateless.
- However, there are situations where we would like our states to be remembered.
- For example, in a on-line shop, after we put bananas in a shopping cart, we don’t want our bananas to disappear when we go to another page to buy apples. ie. we want our purchase state to be remembered while we navigate through the on-line shop!
- To overcome the stateless nature of HTTP requests, we could use either a session or a token.
session&token 应用场景
- The Session and Token-based Authentication methods are used to make a server trust any request sent by an authenticated user over the internet.
- In this way, a user can interact with their accountwithout continually specifying their credentials.
- These methods are usually used for different purposes.
- For example, sessions are commonly used inwebsites applicationswhile
- tokens are preferred inserver-to-serverconnections.
Session Authentication
session file
- Asession is a small file, most likely in JSON format, that stores information about the user, such as a unique ID, time of login and expirations, and so on.
- It is generated and stored on the server so that the server can keep track of the user requests.
- The user receives some of these details, especially the ID, as cookies that will be sent with every new request,so that the server can recognize the ID and authorize the user’s requests.
Working
- The user sends a login request to the server.
- The serverauthenticatesthe loginrequest,
- sends a session to the database, and
- returns a cookie containing the session ID to the user.
- The server checks in the database forthe ID found in the cookie, if the ID is found itsends the requested pages to the user.
- Now, the user sends new requests (with a cookie).
Session Authentication
- In the session based authentication, theserverwillcreate a sessionfor the userafter the user logs in.
- Thesession idis thenstored on a cookieon theuser’s browser.
- While the user stays logged in, the cookie would besent along with every subsequent request.
- Theservercan thencompare the session id stored on the cookieagainstthe session information stored in the memorytoverify user’s identityandsends response with the corresponding state!
Pros/Cons: 优缺点
good points and bad points
good
- Since sessions are stored on the server, its administrators are in power over them.
- For example, if a security team suspects an account iscompromised(bring into disrepute or danger by indiscreet, foolish, or reckless behaviour.),they can immediately invalidate the session ID,
- so that the user is immediately logged out.
简而言之,可以强迫下线可能处于被盗号的账号!
bad
- On the other hand, since a session is stored on the server, the server isin charge of looking up the session ID that the user sends.
- This cancause scalability problems([skeɪlə’bɪlɪtɪ]扩展性问题).
- Cookies may be exposed tocross-site request forgery attacks(csrf)
- (forgery:the action of forging a copy or imitation of a document, signature, banknote, or work of art).
- The attacker maymislead the user to a hostile website, where some JS scripts may exploit cookies to send malicious requests to the server.
- Another vulnerability regards the chances ofa man-in-the-middle attack, where an attacker can intercept the session ID and perform harmful requests to the server.
- intercept: obstruct /stop (someone or something) so as to prevent them from continuing to a destination.
Token-Based Authentication
关键词
- 密钥
- 签名
- Many web applications useJSON Web Token (JWT)instead of sessions for authentication.
- In the token based application,the server creates JWTwith a secret andsends the JWT to the client.
- Theclientstores the JWT (usually in local storage) andincludes JWT in the header with every request(send to the server).
- The server would thenvalidate the JWTwith every request from the client and sends response.
Token Based Authentication flow
- The biggest difference here is that the user’s state is not stored on the server, asthe state is stored inside the token on the client side instead.
- Most of the modern web applicationsuse JWT for authentication for reasons includingscalability and mobile device authentication.
Node Modules for JWT
-
jsonwebtoken library can be used to created the JWT token on the server. - Once the user is logged in, the client passes the JWT token back on the header.authorization.bearer attribute.
{
method: "GET",
headers:{
"Authorization": "Bearer ${JWT_TOKEN}"
}
}- Middleware,
express-jwt, can be used to validate the JWT token by comparing the secret.
Scalability
- Session based authentication: Because the sessions are stored in the server’s memory, scaling becomes an issue when there is a huge number of users using the system at once.
- Token based authentication: There is no issue with scaling because token is stored on the client side.
Multiple Device
- Session based authentication: Cookies normally work on a single domain or subdomains and they are normally disabled by browser if they work cross-domain (3rd party cookies).
- It poses issues when APIs are served from a different domain to mobile and web devices.
- Token based authentication: There is no issue with cookies as the JWT is included in the request header.
- Token Based Authentication using JWT is themore recommended method in modern web apps.
- One drawback with JWT is thatthe size of JWT is much biggercomparing with the session id stored in cookie because JWT containsmore user information.
- Care must be taken to ensure only the necessary information is included in JWT andsensitive information should be omitted to prevent XSS security attacks.
比较session & token
- token 和 session 的验证机制最大的区别是用“签名验证机制”代替了“白名单验证机制”
- session 必须在服务器维护一个 session_id 的白名单来验证 session_id 的合法性。
- token 的改进之处就在这里,token 通过签名机制,只要前端传来的token 能通过签名认证就是合法的,不需要服务器维护任何东西,所有的需要东西都放在在 token 里面。
- Atoken isan authorization filethat cannot betamperedwith.
- tamper:interferewith (something) in order to cause damage or make unauthorized alterations.
- It is generated by the serverusinga secret key,sent to and stored by the userin their local storage.
- Like in the case ofcookies, the user sends this token to the serverwith every new request, so that the server canverify its signatureandauthorize the requests.
Working
- The user sends a login request to the server.
- The server authorizes the login andsends a token to the user.
- The server checks the token is valid or not, if the token is valid it sends the requested pages to the user.
- Now, the usersends a new request(with a token).
Token Authentication
- Note- Those arenotauthentication files,they areauthorization ones.
- While receiving a token, the server does not look up who the user is, it simply authorizes the user’s requests relying on the validity of the token.
Pros/Cons
Pros
- Tokens can be useful when the user wants toreduce the number of times they must send their credential.
- In the case of server-to-server connections, usingcredentialsbecomesdifficult, andtokens overcome this problem.
- Moreover, servers that use tokens canimprove their performances,because theydo not need to continuously look through all the session detailsto authorize the user’s requests.
Cons
- However,the authentication details are stored on the client, sothe server cannot perform certain security operations as in the session method.
- As written above, the server doesnot authenticate the user,solinking a token to its user can be more difficult.
- If ahypotheticalattacker manages to geta valid token, they may haveunlimited access to the server databases. If the server generates keys usingolder algorithms,these keys can bebreached(make a gap in and break through).
多方面对比session&token
Differences Between Session and Token-Based Authentication Methods
Criteria | Session authentication method | Token-based authentication method | |
1 | Which side of the connection stores the authentication details | Server | User |
2 | What the user sends to the server to have their requests authorized | A cookie | The token itself |
3 | What the server does to authorize users’ requests | Looking up in its databases to find the right session thanks to(because) the ID the user sends with a cookie | Decrypting the user’s token and verifying its signature |
4 | Can the server admins perform securities operations like logging users out, changing their details, etc | Yes, because the session is stored on the server | No, because the token is stored on the user’s machine |
5 | From what kind of attacks the method may suffer | Man-in-the-middle, Cross-site request forgery | Man-in-the-middle, Token steal, breaches of the secret key |
6 | Preferred method application | User-to-server connections | Server-to-server connections |
Conclusion
- 两者都有可能受到中间人工攻击
- Session and token-based are two authentication methods that allow a server to trust all the requests it receives from a user.
- The main difference is session-based authentication of the connection stores the authentication details.
- The session method makes the server store most of the details, while in the case of the token-based one the client stores them.
- The session authentication method is based on the concept of the ID being shared with theclient through a cookie file, while the rest of the details are on the session file, stored on the server.
- The token-based authentication method is based on the concept that possessing a token is the only thing that a user needs to have their requests authorized by the server,which must only verify a signature.
- The token is secure to use because it cannot be tampered with.
- Both methods haveinherent vulnerabilities that can be most easily resolved with different workarounds.
- In the end, developers must decide which method suits better to their needs and applications.
