SessionId is afraid of cross-domain problems, while token is not afraid because the former is based on cookie automatic carrying and the latter is carried manually.

generally speaking, sessionId has cross-domain security problems, but token does not. My understanding is that
sessionId is afraid of cross-domain problems, while token is not afraid because the former is based on cookie automatic carrying and the latter is carried manually.
when there is a cross-domain attack, the victim clicks the link and automatically brings the sessionId
on the browser cookie. Token is usually manually placed in the parameters or header when the programmer writes ajax in the program, so there is no cross-domain security problem?
if token is also placed in cookie, cross-domain security problems will occur like sessionId.
is that right?

so there should be no security problem if the https://blog.csdn.net/moshowg... zuul gateway is open and cross-domain, right?


I think so too.


cookie-based authentication has cross-security problems, either automatically or manually, but token passes the token to other domains after several redirects with the certification center. The subject can refer to the authentication process of sso, and the authentication process of oath is about the same.


I don't know if you mean CSRF by cross-domain security.

if so, find out what happened to csrf first:

  1. user logs in to website A normally and generates sessionid or token
  2. the user visited the malicious site Bli B while not quitting A, and secretly accessed An as a "user" in a way similar to .

Let's take a look at the problem again:

  1. as soon as you log in, you get the login credentials (sessionid or token), which you will pass back to the server on your next visit, so you need to "save" on the client.
  2. traditionally, sessionid is placed on cookie, so that the browser will "automatically bring it" the next time you visit, but it is not "necessary". After you understand the principle of session, sessionid can also be placed in header (or even get parameters or post parameters), but in this way, the browser will not automatically bring it, you need to send it manually, which is the same reason as token in header.
  3. For the problem of
  4. postback, hide the call through src. The browser automatically carries cookie by default, but it doesn't seem to be carried by default through ajax call (I don't confirm that I write less frontend)

therefore, putting cookie in token actually has two meanings: one is to store it in the client cookie, and the other is the definition (transmission mode) in the authentication protocol. For example, if you put the token into the cookie, but the server still recognizes the token in the header, it is useless to bring the token automatically in the cookie when you request it.

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1e86c02-dfe.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1e86c02-dfe.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?