How to use token PHP

How to use tokens in PHP: 1. The client user enters the user name and password to log in and request the token; 2. Use the JWT specification to generate the token; 3. Verify the timeliness of the token; 4. , The client uses the token to request data.

The operating environment of this article: Windows 7 system, PHP version 7.1, Dell G3 computer.

How to use token PHP?

Generation and use of php token

1. Why use token for login

Separation of front and back ends or to support multiple web application, then there will be big problems in using the original cookies or sessions.
Cookie and session authentication need to be under the same primary domain name for authentication (currently, the session can be stored in redis to solve the problem).

2. Solution

oauth2 and jwt

jwt: is a security standard. The basic idea is that the user provides the user name and password to the authentication server, and the server verifies the legitimacy of the information submitted by the user; if the verification is successful, a token (token) will be generated and returned
OAuth2: It is a secure authorization framework. It describes in detail how to achieve mutual authentication between different roles, users, service front-end applications (such as API), and clients (such as websites or mobile APPs) in the system.
(JWT, this JSON Web Token is used for authentication here)

3. Generation method

1. Header: Encryption type

2. Description: Message content

3. key: a random code used to encrypt

4. Use the above three parts to connect. up, and then use hs256 to encrypt to generate token

4. Detailed generation method

1). The header usually consists of two parts: the type of token (i.e. JWT) and the encryption algorithm used (such as: SHA256 or RSA)

{
      "alg": "HS256",
      "typ": "JWT"
}

Then, this json is Base64Url encoded and becomes the first part

2). Payload is a statement. The declaration is about the entity.

{
      "exp": "1525785339",
      "sub": "1234567890",
      "name": "John Doe",
      "admin": true
}

The payload is then Base64Url encoded and becomes the second part
(PS: This information, although protected from tampering, can be read by anyone. Do not send important information unless it is encrypted Put it inside)

3). Use an encryption key

4). To sign, you need to use the first encoded part, the second encoded part, and then a key key. Use the encryption algorithm in the first part to sign

HMACSHA256(
          base64UrlEncode(header) + "." + base64UrlEncode(payload),
          key
)

This signature is used to verify whether the message has been tampered with.
(PHP uses the crypt method for encryption. Note: SHA-256 is used to prevent tampering, and AES-256 is used to encrypt. The two concepts are different)

5. Token storage location

Usually you should use the Bearer mode to add JWT (Authorization: Bearer) in the Authorization field in the request header (of course you can also place it anywhere, such as passing it as a parameter after the URL, as long as the client can recognize it, but Since JWT is a standard, we'd better follow the standard)

Recommended study: "PHP Video Tutorial"

6. How to use

1. The client user enters the username and password to log in and requests the token
2. After the server receives the request, it uses the JWT specification to generate the token and returns it to the client
3. Client After receiving the token, decrypt it, verify the timeliness of the token (the expiration time of the token), and save it
4. The client uses the token to request data
5. After the server receives the token and decrypts it, it verifies the user's identity , verify the timeliness, and then verify the user

7. Disadvantages

1. 无法作废已颁布的令牌（对token刷新使用期限）
2. 不易应对过期数据（支持 token 失效）

So if you use a token, then if the token is captured, then it can be forged. Impersonate. So if security is relatively high, it is recommended to use oauth2

The above is the detailed content of How to use token PHP. For more information, please follow other related articles on the PHP Chinese website!