What does token error mean?

#Token error means token error.

Token is generated on the server side. If the front end uses the username/password to request authentication from the server, and the server authentication is successful, the server will return a Token to the front end. The front end can bring token to prove your legal status every time you request (Recommended learning: PHPSTORM )

# What problems can it be solved?

Token is completely managed by the application, so it can avoid the same-origin policy

Token can avoid CSRF attacks (http://dwz.cn/7joLzx)

Token can be stateless and can be shared between multiple services

Token is generated on the server side. If the front end uses the username/password to request authentication from the server, and the server authentication is successful, the server will return a Token to the front end.

The front end can bring Token with each request to prove its legal status. If this Token is persisted on the server side (such as stored in a database), then it is a permanent identity token.

Whether it is considered from the perspective of security or revocation, Token needs to have a validity period.

So what is the appropriate validity period?

I can only say that according to the security needs of the system, it should be as short as possible, but it cannot be ridiculously short - imagine the automatic screen-off time of the mobile phone. If it is set to 10 seconds without any operation, it will automatically turn off the screen. If the screen is turned off and turned on again, you need to enter a password. Would you be crazy?

If you think it won't work, then try it yourself and set it to the shortest time that can be set. Just stick to it for a week (it is not ruled out that some people can adapt to this time. After all, mobile phone manufacturers also have user experience research).

Then a new problem arises. If the user's Token expires during normal operation, and the user is required to log in again... wouldn't the user experience be very bad?

In order to solve the problem of not allowing users to feel that the Token is invalid during the operation process, one solution is to save the Token status on the server side. Each time the user operates, the Token expiration time will be automatically refreshed (postponed) - Session is used This strategy is used to keep users logged in.

However, there is still a problem. In the case of front-end and back-end separation and single-page App, many requests may be initiated per second, and refreshing the expiration time every time will incur a very high cost.

If the Token expiration time is persisted to the database or file, the cost will be even greater. Therefore, in order to improve efficiency and reduce consumption, Tokens are usually stored in cache or memory when they expire.

The above is the detailed content of What does token error mean?. For more information, please follow other related articles on the PHP Chinese website!