tokens are great tool to prevent csrf attack
for every request made by user , your system must generate a unique token and store it somewhere
the next time the client ask to perform some actions , the system verify if the token exist , and if it still valid
if we store tokens in sessions , then sessions will become too large , an this will cost a lot of memory as the CPU load the entire sessions in ram when responding to a request , and with a CPU of 1Gb for example , and 1000 users with 1 sessions of 1Mb each , the CPU will not handle anything , this could be a typical ddos attack ( to request more and more tokens knowing they are stored in sessions)
in the other side storing tokens in database have his own weakness ,
which method do you use to store tokens ?
Use sessions, 1MB per session is pretty high IMO. Since PHP's Session handler can be switched to use a different back end, you have the flexibility of storing them on disk / memcached / mysql down the road.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.