How to implement my own authentic class with an one-time token?[SOLVED]

Dear everyone:
my xwiki will integrate into an website,and it will send me a one-time token,
i extends XWikiAuthServiceImpl as follows【i ignored some private func】,but the checkauth will run for any url,the token will be invalid when used once,so ,how can i remeber the current user,or how to persist my logined status?

  public class XxxSSO extends XWikiAuthServiceImpl{

    @Override
    public XWikiUser checkAuth(XWikiContext context) throws XWikiException {
        try {
            System.out.println("OK,URL  query is " + context.getURL().getQuery());
            System.out.println("begin authentic:  " +context.getUser());
            String tokenstr = getToken(context);
            //todo 1.token is null when click any link on xwiki page
            if(tokenstr.equals(""))
            {
                System.out.println("OOPs,token is null");
                return super.checkAuth(context);
            }
            String validUserName = getUserbyToken(tokenstr);
            //todo 2.token exists from refresh but not useful for verify
            if(validUserName.equals(""))
            {
                System.out.println("OOPs,token is invalid,pls login");
                return super.checkAuth(context);
            }
            //3.token exists and ok for verify
            System.out.println("OK,login as " + validUserName);

            String validUserFullName = "XWiki." + validUserName;

            if (context.isMainWiki()) {
                System.out.println("OK,login mainwiki " );

                context.setUser(validUserFullName);

                return new XWikiUser(validUserFullName);
            } else {
                System.out.println("OK,login subwiki " );
                String userid=context.getMainXWiki() + ":" + validUserFullName;
                context.setUser(userid);
                System.out.println("OK,login mainwiki as  " +context.getUser());

               //how to persist the userid loggined status here?

                return new XWikiUser(context.getMainXWiki() + ":" + validUserFullName);
            }
        }catch(Exception e){
            e.printStackTrace();
        }

        //https://github.com/xwiki-contrib/sandbox/blob/master/authenticators/xwiki-authentication-headers/src/main/java/com/xwiki/authentication/headers/XWikiHeadersAuthenticator.java
        return super.checkAuth(context);
    }
}

Usually there is 2 ways to remember stuff about the current HTTP client:

  • the session (the client/server couple is supposed to maintain a session while you navigate)
  • a cookie which is stored and sent by the client on each HTTP request when you want to remember that client longer

You can see example of both uses in existing authenticators:

thanks a lot, i used session and ok now!!