the so-called token, probably means that after the login verification is successful, the server generates a unique string and returns it to the front end according to the algorithm. The front end takes this string as a credential to get the data, so the problem comes:
answer: first, if the interception is successful, and during the expiration period of the token, the data can be obtained successfully.
token
tokenI think you can look for information on json web token
at least token is not continuous, I can't try back from 1
for example, check that someone's order is like this / order/$ {uid} (no one is so stupid but don't care about the details)
after I find the rule, I can check other people's order information at will as long as I change the uid. This is not safe, but if the uid is not a consecutive number, but a 32-bit character encrypted by md5, this path will not work.
token is encrypted by AES. If it can be decrypted correctly, it contains
if you are worried about token being caught, you can consider using https protocol
token not to solve the security problem. If you ask me, I want to hit someone
token is mainly used to deal with
of CSRF. solve security issues:
https, two-factor authentication, etc.
1. You cannot intercept in mimt using https token, unless the website has been injected by xss. Of course, you can use cookie only to prevent js from reading.
2. Token is divided into many kinds of jwt token encrypted by hash. The server takes it to the first layer for hash monitoring, and then compares it with the database (which can be omitted).
3. There is no absolute security, only relative security.
Next: Download the file with spring mvc ResponseEntity < byte [] >. The contents of the file are garbled.