Understanding Web Authentication behind the login screen
Authentication is the process of verifying the identity of a user or information. User authentication is the process of verifying the identity of the user when that user logs in to a computer system.
The article briefly deals with authentication in modern web applications.
The two primary types of authentication are:
To understand their significant difference between the two, check the Difference between the Stateless and Stateful Protocol article. Both of these two types of authentications can be understood by understanding their flow.
Stateful authentication: Using session IDs and Cookies.
Flow of Authentication:
- The user submits the login credentials, i.e. Username and Password.
- This is verified by the server against the DataBase.
- The server then generates a temporary user session.
- The server issues a cookie with the session ID.
- User/ client can send the cookie with each request.
- The server validates it against the session store and grants access.
- When a user logs out, the server destroys the session and clears the cookie.
Note: A session ID is nothing but a random string that can be identified by the server against the session’s store to validate user’s requests. So no third party can extract any data/information from that session.
Features of stateful authentication: Every user session is stored server-side (Stateful).
- In memory, i.e. File Systems (Less common).
- Cache (Redis or Memcached)
- In database (commonly used ones include Postgres and MongoDb)
Each user is identified by the Session ID.
- Opaque Reference:
- No 3rd party can extract out any data.
- Only the issuer(server) can map back the data.
- Stored in Cookie:
- Signed with a secret. Also, often the cookies are protected with flags so that clients cannot tamper with the cookie. The process of Cryptographyically signing the cookie on the server-side is also done for the whole purpose to avoid/detect any tampering with the cookie on the client-side, and hence server-side can stay assured that the cookie has not been tampered with.
Stateless Authentication: Using Tokens, JWT, OAuth & Others.
Flow Of Authentication using Tokens:
- The user submits the Login Credentials i.e. Username and Password.
- The server verifies the credentials against the DataBase.
- The server then generates a temporary Token and embeds the user data into it.
- The server responds back with the token (in body or header).
- User stores the token in client storage [localStorage or SessionStorage].
- User sends the token along with each request.
- Server verifies the token & grants access.
- When the user logs out, the token is cleared from the client storage.
Features of Stateless Authentication Systems:
- Tokens are not stored on the server-side, only on the client.(Stateless)
- Signed with a secret against tampering.
- Verified and can be trusted by the server.
- Tokens can be opaque or self-contained.
- The Tokens can carry all the required user data in its payload.
- This can reduce Database lookups, but exposes data to XSS attacks.
- Tokens are typically sent under the Authorization header.
- When a token is about to expire, it can be refreshed, as the client is issued both the access token and the refresh token.
- The refresh token can be used to refresh the access token.
- Used in SPA web apps, web APIs, and even mobile apps.