is easy to say. Why don't you get my account token? now?

for the server, token is just a code name. Generally speaking, the backend will have authentication, that is, it will check the data of each interface.

Yes, even with the session mechanism, you can pass yourself off as B with the session_id of B

just take a single-page application as an example:
first use user name, password, CAPTCHA, etc., to enter the authorized URL to obtain the token, obtain the token, then establish a connection with the backend, and then obtain the data

1. generally speaking, this token is not stored in cookie, localStorage and other places, but only in the global variable. At this time, you cannot get it by logging in with a different account. It is only limited to the current page and can be used without refreshing.
2. what is the purpose of storing token in a visible area such as localStorage,? Remember usernames and passwords? A login when the background only verifies the token, it is indeed possible to log in, the site does not require security actually does not matter. If the website is demanding, your token cannot be stored in plaintext and needs to be manually encrypted and decrypted

it's true that you can log in under the guise of someone else's token, but that's a problem if you can get someone else's token. Either it's an acquaintance or your computer is full of poison.

token is equivalent to the ID card of your browser's current session. Token generally has an expiration time, generally speaking, half an hour. If your ID card is stolen, you can indeed pretend to request website A within half an hour. But it's usually hard to steal your token.

CSRF (Cross Site Request Forgery, cross-domain request forgery) is exploited using similar vulnerabilities.

attack instance

1. user A uses the browser b to visit the website W1Magi W1 to establish a session with b
2. A clicking on w2 li W2 will send a request r
using s to W1 without A perceiving it.
3. request r can be to delete A's data on W1 and transfer A's virtual assets on W1

that's right. If you get the token, you can ask for it. However, it is generally timely and can be used within a certain period of time. Some companies and people will verify whether IP requests are commonly used to achieve the purpose of verification. Let's say I gave you token, but I have IP encryption in token. You can't log in if you log in somewhere else