network 쪽 공부를 하다가 session/token 정리 한 번 해두면 좋을 것 같아서 정리를 해본다.
chatGPT 와 대화하는데 맛이 들려버렸다
요즘에 공부를 하는데 chatGPT를 많이 활용하는 편이다. 확실히 쓰면 쓸수록 대단하다는 느낌이 든다…
특히나 내가 모르는걸 물어봤을 때 내가 고려하지 않은 키워드들도 얘기를 해주면서 깊이 있는 공부를 가능하게 해준다.
what is difference between session and token? (feat. chatGPT)
A session and a token are two different concepts used in web applications and authentication systems.
A session refers to a series of interactions between a user and a server during a single browsing session. When a user logs into a web application, a unique session is created between the user and the server. The server stores the user's session data, including user ID, preferences, and other information that is needed to provide a customized experience for the user. The session is usually identified by a unique session ID that is stored in a cookie or as part of the URL.
On the other hand, a token is a piece of data that is used to authenticate a user and grant access to specific resources or actions. Tokens are often used in token-based authentication systems, such as OAuth, where a user is authenticated by providing a token instead of a username and password. Tokens are typically generated by a server and sent to a client application, which then includes the token in subsequent requests to the server to access protected resources.
In summary, while both sessions and tokens are used in authentication and authorization, sessions are used to keep track of a user's interactions during a browsing session, while tokens are used to authenticate and authorize access to specific resources or actions.
처음에는 간단히 session과 token의 대해 설명해주었다.
그래서 이번엔 좀 더 궁금한 질문을 해봤다.
JWT encryption method (feat. chatGPT)
JSON Web Tokens (JWTs) are a popular method for representing claims securely between parties. JWTs consist of three parts: a header, a payload, and a signature.
The header typically consists of two parts: the type of token (which is JWT) and the hashing algorithm used to secure the token, such as HMAC SHA256 or RSA.
The payload contains the claims or information that the token represents. This information can include the user's identity, authorization scopes, or other metadata.
Finally, the signature is created by taking the header and payload, and signing it using a secret key that only the server knows. The signature is then appended to the header and payload to create the final JWT.
To encrypt a JWT, you can use one of two methods: symmetric encryption or asymmetric encryption.
Symmetric encryption involves using the same secret key to both sign and encrypt the JWT. This method is typically faster and simpler, but requires that the key be shared between the server and any party that needs to validate or decrypt the JWT.
Asymmetric encryption, on the other hand, uses a public-private key pair to encrypt and sign the JWT. The server uses its private key to sign the JWT, and anyone with the corresponding public key can verify the signature and decrypt the JWT. This method is more secure since the private key does not need to be shared, but is generally slower and more complex than symmetric encryption.
To use encryption with JWTs, you would typically use the JWE (JSON Web Encryption) standard. JWE defines a method for encrypting the payload of a JWT, allowing you to protect the sensitive data in the token.
In summary, to encrypt a JWT, you would use the JWE standard and either symmetric or asymmetric encryption to encrypt the payload of the JWT. The resulting encrypted JWT would contain the encrypted payload, along with the header and signature, and would be sent to the client, where it could be decrypted and the claims extracted.
(작성중)