How to authentication?
If you find that it is hard to get my meaning, email me peterlitszo at gmail.com!
Now there mainly have three ways to get the authentication:
- Session.
- Token.
- JWT.
Session
We get the session like:
- Alice: Hello, Bob, I am Alice, my password is
PaSsWoRd
. (by HTTPS rather than HTTP) - Bob: OK, let me check check. OK the user named Alice's
hash(password)
is reallyHaShEdPaSsWoRd
! So you are must the Alice! I give you the session id:UniqueSessionId
. hold it next time! - Alice: Hello, Bob, I want to have some yellow picture! By
UniqueSessionId
. - Bob:
UniqueSeesionId
? Yes you do have the permission to see the yellow picture! Give you.
After long time, there are many people!!! Bob cannot remember so many people!! He need put those information into his notebook (It means, Bob need put it in disk's database rather than memory, and he need delete those record that out-dated).
The
UniqueSessionId
, in my opinion, the best way is using UUID.Where to put the
UniqueSessionId
? I think put it in cookie is a good idea. Cookie will be carried when browser request.
Token
We get the token like:
- Alice: Hello, Bob, I am Alice, my password is
PaSsWoRd
. (by HTTPS rather than HTTP) - Bob: OK, let me check check. OK the user named Alice's
hash(password)
is reallyHaShEdPaSsWoRd
! So you are must the Alice! I give you the token:{username: 'Alice'}, sign('by Bob')
. hold it next time! - Alice: Hello, Bob, I want to see some yellow picture! By
{username: 'Alice'}, sign('by Bob')
. - Bob: Let me check,
check({username: 'Alice'}, 'the word only bob know') === sign('by Bob')
. OK you must the Alice. Alice have the permission to see the yellow picture! Give you!
Bob do not need remember those session ID! What a good thing for he! He just need to calculate the function check
's value.
JWT
In my opinion, the JWT is token, but with some rule (or protocol) to make sure everyone can deal it, and have scalable power without thinking.