Premise: The user has gone through the login verification process.
Question: So how does the user verify his identity when he obtains his private data from the server?
(Note: express framework used for backend)
PHP中文网2017-05-16 13:40:11
cookie
[http://wiki.jikexueyuan.com/project/node-lessons/cookie-session.html][1]
session是基于cookie的服务端技术
習慣沉默2017-05-16 13:40:11
session, write the user id into the session
when the verification is successfulreq.session.user = user;
PHP中文网2017-05-16 13:40:11
session!
session can be stored in server memory or a cache like redis.
There are mature third-party session libraries, in which sessions can exist in redis/database/local.
You can save the session in redis like this:
var session = require('express-session');
var RedisStore = require('connect-redis')(session);
app.use(session({
store: new RedisStore({
host: CONF.REDIS_URL(),
port: 6379
}),
secret: 'keyboard cat',
resave: false,
saveUninitialized: false,
cookie: {maxAge: 14400000}
}));
黄舟2017-05-16 13:40:11
Negotiate with the backend to adjust the interface, and then verify his identity in the backend
漂亮男人2017-05-16 13:40:11
After the user passes the verification, certain information will be saved in the background to avoid repeated verification in the future. The commonly used method in the past was Session. Session is based on Cookie. Later, the Token method was gradually developed, using Token to replace the Seesion-Id in Cookie. As The backend determines the basis for logged in users, and then JWT (JSON Web Token) appears.
But having said that, if there are really important operations that require special caution, there should be two-step verification, such as random SMS passwords for payment, and various security Token (or random password) Apps, etc. The simplest is to require you to enter the password again to confirm after logging in for a certain period of time to perform high-security operations, such as operations such as deleting important data by the administrator.