How to use tokens in PHP: 1. The client user enters the user name and password to log in and request the token; 2. Use the JWT specification to generate the token; 3. Verify the timeliness of the token; 4. , The client uses the token to request data.
The operating environment of this article: Windows 7 system, PHP version 7.1, Dell G3 computer.
How to use token PHP?
Generation and use of php token
Separation of front and back ends or to support multiple web application, then there will be big problems in using the original cookies or sessions.
Cookie and session authentication need to be under the same primary domain name for authentication (currently, the session can be stored in redis to solve the problem).
oauth2 and jwt
jwt: is a security standard. The basic idea is that the user provides the user name and password to the authentication server, and the server verifies the legitimacy of the information submitted by the user; if the verification is successful, a token (token) will be generated and returned
OAuth2: It is a secure authorization framework. It describes in detail how to achieve mutual authentication between different roles, users, service front-end applications (such as API), and clients (such as websites or mobile APPs) in the system.
(JWT, this JSON Web Token is used for authentication here)
Header: Encryption type
Description: Message content
key: a random code used to encrypt
Use the above three parts to connect. up, and then use hs256 to encrypt to generate token
1). The header usually consists of two parts: the type of token (i.e. JWT) and the encryption algorithm used (such as: SHA256 or RSA)
{ "alg": "HS256", "typ": "JWT" }
Then, this json is Base64Url encoded and becomes the first part
2). Payload is a statement. The declaration is about the entity.
{ "exp": "1525785339", "sub": "1234567890", "name": "John Doe", "admin": true }
The payload is then Base64Url encoded and becomes the second part
(PS: This information, although protected from tampering, can be read by anyone. Do not send important information unless it is encrypted Put it inside)
3). Use an encryption key
4). To sign, you need to use the first encoded part, the second encoded part, and then a key key. Use the encryption algorithm in the first part to sign
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), key )
This signature is used to verify whether the message has been tampered with.
(PHP uses the crypt method for encryption. Note: SHA-256 is used to prevent tampering, and AES-256 is used to encrypt. The two concepts are different)
Usually you should use the Bearer mode to add JWT (Authorization: Bearer) in the Authorization field in the request header (of course you can also place it anywhere, such as passing it as a parameter after the URL, as long as the client can recognize it, but Since JWT is a standard, we'd better follow the standard)
Recommended study: "PHP Video Tutorial"
1. 无法作废已颁布的令牌(对token刷新使用期限) 2. 不易应对过期数据(支持 token 失效)
So if you use a token, then if the token is captured, then it can be forged. Impersonate. So if security is relatively high, it is recommended to use oauth2
The above is the detailed content of How to use token PHP. For more information, please follow other related articles on the PHP Chinese website!