现在随着客户端的多样化、前端的不断发展,传统的基于cookie的会话控制限制越来越多。cookie的跨域问题,移动端native app 对于cookie支持的缺失。今天就来看下另一种解决方案。
用户认证的本质
用户认证分为会话控制(authentication)和权限控制(authorization)。要实现会话控制,就需要一个身份认证的过程:
1.客户端提供认证凭证。eg:username password
2.服务器核对。
3.核对失败则返回失败信息。核对成功则返回成功标识,传统的方式是使用session,设置客户端cookie。
4.客户端请求需要认证的网址。传统的方式是由浏览器自动发送cookie到服务器端,服务器端核对sessionid。
基于token的认证系统
优点
基于token的认证系统解决了什么问题呢?
Cross-domain / CORS: cookies + CORS don't play well across different domains. A token-based approach allows you to make AJAX calls to any server, on any domain because you use an HTTP header to transmit the user information.
Stateless (a.k.a. Server side scalability): there is no need to keep a session store, the token is a self-contanined entity that conveys all the user information. The rest of the state lives in cookies or local storage on the client side.
CDN: you can serve all the assets of your app from a CDN (e.g. javascript, HTML, images, etc.), and your server side is just the API.
Decoupling: you are not tied to a particular authentication scheme. The token might be generated anywhere, hence your API can be called from anywhere with a single way of authenticating those calls.
Mobile ready: when you start working on a native platform (iOS, Android, Windows 8, etc.) cookies are not ideal when consuming a secure API (you have to deal with cookie containers). Adopting a token-based approach simplifies this a lot.
CSRF: since you are not relying on cookies, you don't need to protect against cross site requests (e.g. it would not be possible to