Eight-Step User Authentication with JWT

User authentication (Authentication) is the mechanism that allows users to log in and access a website without re‑entering credentials for a period of time.

First, the client sends the username and password via an HTTPS POST request to the server.

The server checks the credentials against the database.

When verification succeeds, the server creates a JWT that includes the user's id (or user_id) as a payload claim, Base64‑encodes the header and payload, signs them, and produces a token string such as lll.zzz.xxx.

The JWT is returned to the client as part of an HttpOnly cookie to prevent JavaScript access and mitigate XSS attacks.

For each subsequent request before the cookie expires, the client automatically sends the JWT cookie; the server extracts the token from the request.

The server validates the JWT by checking its signature, expiration time, and optionally its audience.

After successful validation, the server decodes the payload, reads the user_id, retrieves the corresponding user record from the database, and initializes any necessary ORM or business logic.

Compared with traditional session storage, which consumes server memory and often requires external key‑value stores, JWT stores state on the client, reducing server memory pressure and allowing additional claims such as roles or permissions.

For single sign‑on across multiple subdomains, sessions require synchronization, whereas JWT can be shared by setting the cookie's domain attribute to the top‑level domain (e.g., .taobao.com), enabling all subdomains to receive the token.

Set-Cookie: jwt=lll.zzz.xxx; HttpOnly; max-age=980000; domain=.taobao.com