You can take a look at jwt
Self-contained: The payload contains all the information needed by the user

I set the token and expiration time, and use the token to verify

First, you create a login interface. The app calls this interface. After you verify the username and password passed by it, return a token to it.

Token you create a table to save, and the table stores user_id token expire_data and other fields. Note that token and user_id are unique.

Every time he requests other interfaces in the future, he only needs to bring this token to you, and you can verify the token.

The passed token is encrypted/expired/guaranteed to be unique, which is basically it.

1. The request header contains the userusername和password，到服务器端做验证，通过才继续下边业务逻辑。
优点：防止了服务器端apiand is called at will.
Disadvantages: The username and password are exchanged every time, the amount of interaction is large, and the clear text transmission of the password is unsafe.

2. The first request requiresusernameandpassword. After verification,cookieis sent to the client,username和password，验证通过，发送cookie到客户端，app保存cookie值。
每次请求带上cookie。
优点：和pcSavecookie value.

Bring cookiewith every request.

Advantages: The principle of browser authentication onpcis the same.
appOn the above two points, only registered users can have access to business logic.

And some

have a large number of APIs that do not require registration datatoken
3. Develop a

generation rule to generate a random string based on some common attributes shared by both the server and the client. The client generates this string, and the server verifies this string upon receiving the request.

Disadvantage: The random string generation rules must be kept confidential.

采纳答案

If my answer solves your problem, please click

It can be done like this. Different users obtain different tokens through the authorization interface, set the expiration time for the token, let the client put the token in the header for each request, and update the token regularly

Use token to replace the traditional session_id stored in the client cookie, and then the token is used as the key name in databases such as redis, and the key value is the user uid, and the session_id can be simulated through the built-in expiration mechanism

Our company has token and expiration time. Every time you log in, the token will be refreshed

This is what I asked on our site when I was in doubt

1. Your colleague said that the app does not have the concept of session, I don’t think it is accurate! I hope my previous questions are helpful to you!

Login is when the server generates a successful login ID and returns it to the client. The client request brings the login ID, and the server verifies the user information by logging in

The safe thing to do isaccess_token. For this point, you can take a look at WeChat’s API interface;

The simple way isuser_id;