python - php uses token mechanism

Question

The WeChat token mechanism is often imitated in the development environment. But what is the use of this? In my opinion, it is just to prevent others from randomly requesting the interface. I really can't think of its use. For example, if a successful login returns an a b c and md5 (a b c token), then the next time the request interface brings this abc parameter, it will be consistent with the token encryption verification character in my server. I feel like this is not very useful. Please tell me the secret of it

Answer 1

In the situation you mentioned, the generated token is generally reversible and can be self-verified, which means that the MD5 algorithm is generally not used, but can be reversely converted into regular data, and then the contents of different parts of the regular data are self-consistent. . So if the user randomly gets a token string with the same format as the token, the server will directly report an error without returning any data except error information. This prevents crawlers from grabbing data from the website to a certain extent, and also reduces the pressure on the server (because if the data is queried regardless of whether it is a valid request, the query pressure will be very high). Since your token generation method is not public, it will be difficult for crawler writers to crack your token construction method.

In addition to what you mentioned, it can also be used as user login. That is, when the user logs in, a token is returned and saved on the front end. Before this token expires, the front end can always use this token as the user's login token. Each time the server data is requested, the user information corresponding to the token in the database will be retrieved through this token. In other words, the token at this time is equivalent to the authorization given to the logged in user.

Answer 2

The token at this time actually plays the role of session.