Home  >  Article  >  Backend Development  >  How to add token to response header in php

How to add token to response header in php

藏色散人
藏色散人Original
2023-02-20 09:28:203875browse

php method to add token to response header: 1. Use Bearer mode to add JWT in the Authorization field in the header of the request; 2. After the server receives the request, use the JWT specification to generate the token and return Just give it to the client.

How to add token to response header in php

The operating environment of this tutorial: Windows 10 system, PHP version 8.1, DELL G3 computer

How to add token to the response header in php ?

Generation and use of php token

1. Why use token for login

Separation of front and back ends or to support multiple web application, then there will be big problems in using the original cookies or sessions

Cookie and session authentication need to be under the same main domain name before they can be authenticated (currently, the session can be stored in redis to solve the problem) .

2. Solution

oauth2 and jwt

jwt: is a security standard. The basic idea is that the user provides the user name and password to the authentication server, and the server verifies the legitimacy of the information submitted by the user; if the verification is successful, a token (token) will be generated and returned

OAuth2: It is a secure authorization framework . It describes in detail how to achieve mutual authentication between different roles, users, service front-end applications (such as API), and clients (such as websites or mobile APPs) in the system.

(jwt is used here, this JSON Web Token is used for authentication)

3. Generation method

Header: Encryption type

Description :Message content

Key: A random code is used to encrypt

The above three parts are connected. Then use hs256 to encrypt and generate token

4. Detailed generation method

1). The header usually consists of two parts: the type of token (i.e. JWT) and the encryption algorithm used (such as SHA256 or RSA)

{
      "alg": "HS256",
      "typ": "JWT"
}

Then, this json is Base64Url encoded, becoming the first part

2). The payload is the declaration. The declaration is about the entity.

{
      "exp": "1525785339",
      "sub": "1234567890",
      "name": "John Doe",
      "admin": true
}

The payload is then Base64Url encoded and becomes the second part

(PS: This information, although protected from tampering, can be read by anyone. Do not send important information unless it is encrypted Put it inside)

3). Use an encryption key

4). To sign, you need to use the first encoded part, the second encoded part, and then a key key. Use the encryption algorithm in the first part to sign

HMACSHA256(
          base64UrlEncode(header) + "." + base64UrlEncode(payload),
          key
)

This signature is used to verify whether the message has been tampered with.

(PHP uses the crypt method for encryption. Note: SHA-256 is used to prevent tampering, and AES-256 is used to encrypt. The two concepts are different)

5. Token storage location

Usually you should use the Bearer mode to add JWT (Authorization: Bearer) in the Authorization field in the request header (of course you can also place it anywhere, such as passing it as a parameter after the URL, as long as the client can recognize it, but Since JWT is a specification, we'd better follow the specification)

6. Usage method

The client user enters the username and password and then logs in, requesting the token

server After receiving the request, use the JWT specification to generate a token and return it to the client

After the client receives the token, it decrypts it, verifies the timeliness of the token (the expiration time of the token), and saves it

The client uses the token to request data

After the server receives the token and decrypts it, it verifies the user's identity, verifies the timeliness, and then verifies the user

7. Disadvantages

1. Unable to invalidate issued tokens (refresh the token usage period)

2. It is not easy to deal with expired data (support token invalidation)

So if you use a token, then if the token is If caught, it can be forged and impersonated. Therefore, if the security is relatively high, it is still recommended to use oauth2

Recommended learning: "PHP Video Tutorial"

The above is the detailed content of How to add token to response header in php. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn