php method to add token to response header: 1. Use Bearer mode to add JWT in the Authorization field in the header of the request; 2. After the server receives the request, use the JWT specification to generate the token and return Just give it to the client.
The operating environment of this tutorial: Windows 10 system, PHP version 8.1, DELL G3 computer
How to add token to the response header in php ?
Generation and use of php token
1. Why use token for login
Separation of front and back ends or to support multiple web application, then there will be big problems in using the original cookies or sessions
Cookie and session authentication need to be under the same main domain name before they can be authenticated (currently, the session can be stored in redis to solve the problem) .
2. Solution
oauth2 and jwt
jwt: is a security standard. The basic idea is that the user provides the user name and password to the authentication server, and the server verifies the legitimacy of the information submitted by the user; if the verification is successful, a token (token) will be generated and returned
OAuth2: It is a secure authorization framework . It describes in detail how to achieve mutual authentication between different roles, users, service front-end applications (such as API), and clients (such as websites or mobile APPs) in the system.
(jwt is used here, this JSON Web Token is used for authentication)
3. Generation method
Header: Encryption type
Description :Message content
Key: A random code is used to encrypt
The above three parts are connected. Then use hs256 to encrypt and generate token
4. Detailed generation method
1). The header usually consists of two parts: the type of token (i.e. JWT) and the encryption algorithm used (such as SHA256 or RSA)
{ "alg": "HS256", "typ": "JWT" }
Then, this json is Base64Url encoded, becoming the first part
2). The payload is the declaration. The declaration is about the entity.
{ "exp": "1525785339", "sub": "1234567890", "name": "John Doe", "admin": true }
The payload is then Base64Url encoded and becomes the second part
(PS: This information, although protected from tampering, can be read by anyone. Do not send important information unless it is encrypted Put it inside)
3). Use an encryption key
4). To sign, you need to use the first encoded part, the second encoded part, and then a key key. Use the encryption algorithm in the first part to sign
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), key )
This signature is used to verify whether the message has been tampered with.
(PHP uses the crypt method for encryption. Note: SHA-256 is used to prevent tampering, and AES-256 is used to encrypt. The two concepts are different)
5. Token storage location
Usually you should use the Bearer mode to add JWT (Authorization: Bearer) in the Authorization field in the request header (of course you can also place it anywhere, such as passing it as a parameter after the URL, as long as the client can recognize it, but Since JWT is a specification, we'd better follow the specification)
6. Usage method
The client user enters the username and password and then logs in, requesting the token
server After receiving the request, use the JWT specification to generate a token and return it to the client
After the client receives the token, it decrypts it, verifies the timeliness of the token (the expiration time of the token), and saves it
The client uses the token to request data
After the server receives the token and decrypts it, it verifies the user's identity, verifies the timeliness, and then verifies the user
7. Disadvantages
1. Unable to invalidate issued tokens (refresh the token usage period)
2. It is not easy to deal with expired data (support token invalidation)
So if you use a token, then if the token is If caught, it can be forged and impersonated. Therefore, if the security is relatively high, it is still recommended to use oauth2
Recommended learning: "PHP Video Tutorial"
The above is the detailed content of How to add token to response header in php. For more information, please follow other related articles on the PHP Chinese website!