php development app interface, user login problem
The situation is like this. After successful login, the previous user login interface is not saved on the server session. It may be saved on the app side. Therefore, even if the user logs in successfully, when adjusting certain interfaces, user_id must still be passed as a parameter instead of being obtained from the server's session.
Today I want to modify the login and registration interface. My colleague said that the app interface does not have the concept of session, but I always feel that there should be other ways to store user sessions on the server.
So I want to ask all the masters:
1. php开发app接口有没有`session`的概念?
2. 如果没有,用户会话是怎么处理的?就是当前是否在登录状态Thank you everyone!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
You can take a look at jwt
Self-contained: The payload contains all the information needed by the user
I set the token and expiration time, and use the token to verify
First, you create a login interface. The app calls this interface. After you verify the username and password passed by it, return a token to it.
Token you create a table to save, and the table stores user_id token expire_data and other fields. Note that token and user_id are unique.
Every time he requests other interfaces in the future, he only needs to bring this token to you, and you can verify the token.
The passed token is encrypted/expired/guaranteed to be unique, which is basically it.
1. The request header contains the user
username和password,到服务器端做验证,通过才继续下边业务逻辑。优点:防止了服务器端
apiand is called at will.Disadvantages: The username and password are exchanged every time, the amount of interaction is large, and the clear text transmission of the password is unsafe.
2. The first request requires
Bringusernameandpassword. After verification,cookieis sent to the client,username和password,验证通过,发送cookie到客户端,app保存cookie值。每次请求带上
cookie。优点:和
pcSavecookie value.cookiewith every request.Advantages: The principle of browser authentication on
And somepcis the same.appOn the above two points, only registered users can have access to business logic.have a large number of APIs that do not require registration data
generation rule to generate a random string based on some common attributes shared by both the server and the client. The client generates this string, and the server verifies this string upon receiving the request. 🎜🎜token3. Develop a
It can be done like this. Different users obtain different tokens through the authorization interface, set the expiration time for the token, let the client put the token in the header for each request, and update the token regularly
Use token to replace the traditional session_id stored in the client cookie, and then the token is used as the key name in databases such as redis, and the key value is the user uid, and the session_id can be simulated through the built-in expiration mechanism
Our company has token and expiration time. Every time you log in, the token will be refreshed
This is what I asked on our site when I was in doubt
Your colleague said that the app does not have the concept of session, I don’t think it is accurate! I hope my previous questions are helpful to you!
Login is when the server generates a successful login ID and returns it to the client. The client request brings the login ID, and the server verifies the user information by logging in
The safe thing to do is
access_token. For this point, you can take a look at WeChat’s API interface;The simple way is
user_id;