Ajay Prakash Nair
Ajay Prakash Nair's Blog

Ajay Prakash Nair's Blog

Understanding about Web Authentication

Ajay Prakash Nair's photo
Ajay Prakash Nair
·Oct 9, 2021·

4 min read

Understanding about Web Authentication

Subscribe to my newsletter and never miss my upcoming articles

Thinking about authentication, the first picture comes our mind is a login page submitting data to back-end and cross checking it with a data in a DB? Well, though it covers the bare bones of an authentication system. There is more to it which we would discuss in the rest of the Article..

What is meant by Authentication ?

Authentication is the process of recognizing a user’s identity. It is the mechanism of associating an incoming request with a set of identifying credentials. The credentials provided are compared to those on a file in a database of the authorized user’s information on a local operating system or within an authentication server.

Authentication Types

  • Basic Authentication
  • Cookie Based Authentication
  • Token Based Authentication

Basic Authentication

Basic Authentication is the simplest authentication mechanism to authenticate access to resources over HTTP. The credentials are send in the request headers.

1 qYLYA5C6YBfbN4iKxMRfrQ.png

How does it work?

  1. User submits the credentials.
  2. The username and password are concatenated into a single string: username:password .
  3. Encodes the string using base64 algorithm.
  4. Set it in the Authorization header with Basic keyword and send it along each HTTP Request.

Stateful vs Stateless Authentication

Stateful : Authentication session can be revoked Stateless : Authentication session can’t be revoked

Cookie Based Authentication The cookie Based Authentication is also known as session based authentication. In this method the user is assigned some unique identifier and this identifier is stored on the server in memory.Client sends this session id in all the requests and server uses it to identify the user.

2.png

How does it work?

  1. Client sends the login request.
  2. Server validates the credentials, creates a session and stores it in memory assigned to current user and returns back the generated session id.
  3. Client receives the session id and stores it in a cookie.
  4. Client sends next requests with the current session id in its storage.
  5. When the user logs out , the session is destroyed (cookie removed + session removed from the server) and same session id cannot be reused.

Always use HttpOnly cookies : To mitigate the possibility of XSS attacks always use the HttpOnly flag when setting cookies. This way they won't show up in document.cookies

Token Based Authentication Token Based authentication (also called bearer authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens.Instead of sending username and password over for authentication we use a server generated token.

Types of Token Based authentication

  1. JSON Web Tokens (JWT)
  2. Open Authorization (OAuth)
  3. Single Sign On (SSO)

JSON Web Tokens (JWT) JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

3.png

How does it work?

  1. User submits a username and password.
  2. Server validates and returns a JWT token.
  3. Use the token to allow future requests.

Open Authorization (OAuth) Open Authorization is an advanced version of Token based authorization. Often we use Facebook/Google/Twitter to sign-in to an application. These are the examples of Open Authorization.

4.png

How does it work?

  1. User sends an authentication request to Google/Facebook.
  2. On finding that the user has an account on Google, the Google server responds with an authorization grant.
  3. The requesting application uses the authorization grant access specific information.
  4. On gaining the permission, the app generates an access token.
  5. The client then uses the access token to access a resource.

Single Sign On (SSO) Single Sign On (SSO) is also a advanced Authentication strategy that allows a user to login with single username and password to access several services.Google is a classic example of SSO .when we login to Gmail and get to use all the GDrive apps that comes along with it.

5.png

How does it work?

  1. Enter the single username/password that you use for corporate access.
  2. The SSO solution requests authentication from the identity provider or authentication system that your company uses. It verifies your identity and notifies the SSO solution.
  3. The SSO solution passes authentication data to the website and returns you to that site.
  4. After login, the site passes authentication verification data with you as you move through the site to verify that you are authenticated each time you go to a new page.
 
Share this