First, after successful login, a MD5 hash value token (32-bit or 64-bit) is randomly generated;
Then, store this token in the current user’s table, and then add a token field and last_login_time field to this user;
Return this token to the browser’s cookie to store, and set a maximum duration, such as 30 days;
The main function of these three processes is that last_login_time can check the expiration time. After the expiration time is up, the token will be updated. In addition, as long as the user successfully logs in through this token, the token will be updated, so as to ensure as much security as possible.
Every time the user visits the website, check whether there is a token in the cookie. If there is a token, go to the database to query the data. If found, the login will be successful directly, which saves the user name and password verification and login stage.
The whole idea is this, you can also let the front end store the token in localstorage
Don’t use cookies to save account passwords, save a flag to remember the login, and finally combine it with the time of the last login and the generated key to form an encrypted string. Then save it in cookie. Then check whether there is this cookie every time you log in. If there is, decrypt it. This string can then be solved for verification. If it is normal, just log in directly.
Cookie stores the password locally, and session stores the password on the server. Relatively speaking, session is relatively safe. But cookies are very safe if they are handled well.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
First, after successful login, a MD5 hash value token (32-bit or 64-bit) is randomly generated;
Then, store this token in the current user’s table, and then add a token field and last_login_time field to this user;
Return this token to the browser’s cookie to store, and set a maximum duration, such as 30 days;
The main function of these three processes is that last_login_time can check the expiration time. After the expiration time is up, the token will be updated. In addition, as long as the user successfully logs in through this token, the token will be updated, so as to ensure as much security as possible.
Every time the user visits the website, check whether there is a token in the cookie. If there is a token, go to the database to query the data. If found, the login will be successful directly, which saves the user name and password verification and login stage.
The whole idea is this, you can also let the front end store the token in localstorage
Use jwt token to save the token in the browser.
You can read the following two articles for details
jwt-vs-oauth-authentication , jwt
Don’t use cookies to save account passwords, save a flag to remember the login, and finally combine it with the time of the last login and the generated key to form an encrypted string. Then save it in cookie.
Then check whether there is this cookie every time you log in. If there is, decrypt it. This string can then be solved for verification. If it is normal, just log in directly.
Cookie stores the password locally, and session stores the password on the server. Relatively speaking, session is relatively safe. But cookies are very safe if they are handled well.