How many questions about token?

the so-called token, probably means that after the login verification is successful, the server generates a unique string and returns it to the front end according to the algorithm. The front end takes this string as a credential to get the data, so the problem comes:

  1. how to intercept this token, midway can also successfully obtain data;
  2. how does the server verify the correctness of this string;
  3. where is the security of this authentication mechanism?
Mar.19,2021

  1. token mainly solves the csrf problem. Token is generally asymmetric encryption. If the token is unchanged during a login, when the token is intercepted, it must be a security problem
  2. .
  3. the main function of token is not to solve security. Data security solutions generally use sign
  4. .

answer: first, if the interception is successful, and during the expiration period of the token, the data can be obtained successfully.

 token
 token

I think you can look for information on json web token


at least token is not continuous, I can't try back from 1

for example, check that someone's order is like this / order/$ {uid} (no one is so stupid but don't care about the details)

after I find the rule, I can check other people's order information at will as long as I change the uid. This is not safe, but if the uid is not a consecutive number, but a 32-bit character encrypted by md5, this path will not work.


token is encrypted by AES. If it can be decrypted correctly, it contains


if you are worried about token being caught, you can consider using https protocol


token not to solve the security problem. If you ask me, I want to hit someone


.

token is mainly used to deal with

of CSRF.

solve security issues:
https, two-factor authentication, etc.


1. You cannot intercept in mimt using https token, unless the website has been injected by xss. Of course, you can use cookie only to prevent js from reading.
2. Token is divided into many kinds of jwt token encrypted by hash. The server takes it to the first layer for hash monitoring, and then compares it with the database (which can be omitted).
3. There is no absolute security, only relative security.

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1e48ce4-43c5c.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1e48ce4-43c5c.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?