after the user logs in, the token sent from the backend is stored locally (localStrong, cookie or memory)
assuming that when A gets the token, of B, A with the token of B can pretend to be B. is that so?
after the user logs in, the token sent from the backend is stored locally (localStrong, cookie or memory)
assuming that when A gets the token, of B, A with the token of B can pretend to be B. is that so?
is easy to say. Why don't you get my account token? now?
for the server, token is just a code name. Generally speaking, the backend will have authentication, that is, it will check the data of each interface.
Yes, even with the session mechanism, you can pass yourself off as B with the session_id of B
just take a single-page application as an example:
first use user name, password, CAPTCHA, etc., to enter the authorized URL to obtain the token, obtain the token, then establish a connection with the backend, and then obtain the data
it's true that you can log in under the guise of someone else's token, but that's a problem if you can get someone else's token. Either it's an acquaintance or your computer is full of poison.
token is equivalent to the ID card of your browser's current session. Token generally has an expiration time, generally speaking, half an hour. If your ID card is stolen, you can indeed pretend to request website A within half an hour. But it's usually hard to steal your token.
CSRF (Cross Site Request Forgery, cross-domain request forgery) is exploited using similar vulnerabilities.
that's right. If you get the token, you can ask for it. However, it is generally timely and can be used within a certain period of time. Some companies and people will verify whether IP requests are commonly used to achieve the purpose of verification. Let's say I gave you token, but I have IP encryption in token. You can't log in if you log in somewhere else
.Previous: React-native packing error report
Next: How does the front end compress the video file before uploading?