今日已更新 339 条资讯 | 累计 19899 条内容
关于我们

From Passwords to Token-based Authentication

Alimur Razi Rana 2026年07月02日 14:37 3 次阅读 来源:Dev.to

Every authentication mechanism in use today emerged to address a specific set of constraints the previous one wasn't designed for. This article walks through that chain — not as a list of definitions, but as a sequence of problems and the constraints that shaped each solution. 1. The Problem With Sending Passwords Every Request The earliest widely used approach, HTTP Basic Authentication, is also the simplest to understand. The client sends the username and password, base64-encoded, on every single request: GET /api/data Authorization: Basic dXNlcjpwYXNzd29yZA== Base64 is not encryption — it's just a reversible encoding. Anyone who intercepts this header has the raw credentials. This approach has three structural problems. First, the password is transmitted on every request, which means every request is a new opportunity for it to leak — through logs, proxies, or a compromised network. Second, the server has to validate credentials against the database on every single call, since there's no concept of an established session; that's a database hit for every API request, which doesn't scale. Third, there's no way to limit what the credentials can do or for how long. The password grants full access until it's changed, and changing it is the only way to revoke access — there's no way to invalidate just one client's access without affecting every other client using the same password. 2. Sessions Try to Fix It, But Introduce New Problems The next evolution moved the credential check to a single moment: login. After verifying the password once, the server creates a session, stores it (in memory or a database), and gives the client a session ID, usually via a cookie. Every subsequent request just sends that ID, not the password. The user logs in by submitting their username and password. Browser ───────────────▶ Server Login Request The server validates the credentials. Server ── checks username/password ──▶ Database If the credentials are valid, the server creates a new se

本文内容来源于互联网,版权归原作者所有
查看原文