Cookie, session, token

Cookies, sessions, and tokens appear to solve the shortcoming of http statelessness. They are all returned by the server and used for authentication.Cookies are stored on the client side and are not secure.There is a risk of being intercepted by illegal users.

Cookies are stored in the browser's cache, and the expiration time is determined by the server. As long as the browser is closed, it will become invalid.It can also be persisted locally.

For example, if the client sends a request to the server, the server will return cookies in the setcookie field of the response header.Expiration.

As for the session, it is stored on the server side, and the server side will generate a sessionid and pass it through a cookie.For example, when the client sends a request, the server will put the sessionid in the setcookie and return it to the client. When the client makes a login request, it will carry this value. After the server gets it, let’s talk about it first.There are two ways to save, one is stored in a file, the other is placed in the database.The server gets the sessionid sent by the client and goes to its own local to find the corresponding sessionid, and then verifies whether the user with the key sessionid is the client of the request. If so, it will respond.
However, there will be a problem. If hundreds of millions of users send requests at the same time, the server needs to save the sessionid of hundreds of millions of users, so it will cause serious pressure on the performance of the server.

The emergence of Token can solve the cross-domain access problem of microservice deployment.
The user login request goes to a special authentication service for authentication. After the authentication is successful, the encrypted token is returned. After the client gets it, it is saved., the next time the user accesses, it will bring this token to make a request, and the requested service will take this token to the authentication center to see if it belongs to the user. If it is, then it will be passed and the response will be returned.

Token validity time:
①Within 15 minutes
②Generally 15 days

This value is configurable.