Session and Token
Introduction
I am working with a login api, and therefore I have some notes about Session and Token (JWT - Json web token).
Session
The general practice of a login system should be to verify that the customer’s login information is correct. Then add a logged in attribute to the client’s session if it is correct. There are usually some tools that help us doing that. Generally the default name of the session(cookie) is “JSESSIONID”; Stored in the client’s cookie, so we don’t have to write any more complicated operations in the program.
Each time the Client Side send a request, we bring the session id along with it. Server side will take the session ID and find out the specific session from the many sessions stored in Server.
There it is, if there are 10000 user online, server need to store 10000 different session in the database. Which is a very high IO, also, there is also the problem of how to share sessions between multiple hosts.
To solve this problem, we normally use Redis.
JWT token
It is very popular to use JWT as a Token instead of session. jwt is a string encrypted by the server and issued to the client.
After receiving the token, the client sends a request with the token in case of need, so that the Server can decrypt and verify the identity.
Because the token itself stores the authentication information of the client. In general, the Server will no longer store the token after it is issued.
Note that, the token can actually be stored in a cookie.
JWT implementation
There are three part of a JWT, header, payload, signature
The whole thing will use base64 encode
Header
- alg: Cryptographic algorithms used
- typ: JWT
Payload
- iss: Issuer
- sub: subject, can be the key value such as account no.
- exp: expiration time
Signature
sign(hash(header+payload))
The signature also certifies that only the party holding the private key is the one that signed it.
Generating JWT
1 | // JWT code here |
Check the token
- notes 1 : Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema. The content of the header should look like the following:
Authorization: Bearer <token>
1 | public class AuthorizationCheckFilter extends OncePerRequestFilter{ |
The jwt implementation of nestjs
https://github.com/etklam/nestjs-jwt-implementation
Session and Token