It is not recommended to return the account password. You can use this account password to generate a temporary string in your own way. We first call it a token, and then associate this token with the user's account password, and set the destruction time for the token. The server returns the token to the user, writes it into cookies, and then extracts the token with each request as user information.
From the WeChat user accessing a specific URL to the server, this step is already a login operation, so I don’t quite understand why the account and password are returned in Figure 2.
As @水爱 said, after the user successfully logs in, a token with expiration time is generated on the server and returned to the user. At the same time, a token is saved in the server cache (such as memcached, redis), and the user checks it every time he visits the server. Does the token still exist in the cache? If so, it is legal. Otherwise, log in again.
The above verification is relatively simple. Depending on the security requirements of your business for login verification, you can design a more secure but more complex solution.
Safety is directly proportional to cost and inversely proportional to convenience, and needs to be measured in business.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
It is not recommended to return the account password. You can use this account password to generate a temporary string in your own way. We first call it a token, and then associate this token with the user's account password, and set the destruction time for the token. The server returns the token to the user, writes it into cookies, and then extracts the token with each request as user information.
From the WeChat user accessing a specific URL to the server, this step is already a login operation, so I don’t quite understand why the account and password are returned in Figure 2.
As @水爱 said, after the user successfully logs in, a token with expiration time is generated on the server and returned to the user. At the same time, a token is saved in the server cache (such as memcached, redis), and the user checks it every time he visits the server. Does the token still exist in the cache? If so, it is legal. Otherwise, log in again.
The above verification is relatively simple. Depending on the security requirements of your business for login verification, you can design a more secure but more complex solution.
Safety is directly proportional to cost and inversely proportional to convenience, and needs to be measured in business.