Authorization and Authentication part 1

Posted by Sim Greenbaum on September 22, 2019

What is authorization and authentication, why is it so important and what are some ways it can be hacked? Authentication is confirming you are who you claim to be, this is the typical login process. Where we match your input username and password against the DB if is correct Authorization is when we know who you, but what rights or access do you have to this system are you an admin with full access pass or maybe you only have read rights.

To give an example, imagine you go to you a conf . You come with your ticket and id to get it that is Authentication. The employee checks your ticket to see what permissions you have are you VIP, vendor, all-access; where can you go is it backstage access? The employee then gives you a neck badge to wear with your status that is your Authorization. The same process in with user credentials.

There are two main processes we can use Sessions/cookies or JWT (aka Tokens)

With the typical flow of a session/cookie system

  1. The user logins entering username password (front-end)
  2. The server verifies the data is correct and creates a session stored in the DB
  3. A cookie with the session id is sent to the front-end and stored in the place in the browser
  4. Each HTTP request we will match the session-id against the DB
  5. logout destroy the session on the server

Token based flow

Token-based auth is becoming very popular due to the way apps are designed as single page-apps. The most common is JWT one big difference is JWT is stateless the DB does not save any session but the token is returned to the client to make use and added to every HTTP request header and the server just confirms it is a correct token.

  1. The user logins entering username password (front-end)
  2. The server verifies the data is correct and returns a signed token
  3. The token is stored client-side
  4. Each HTTP request to the server will include the token in the header
  5. The server just needs to decode the token and not query the DB
  6. Once a user logs out the token is destroyed client-side no interaction with the server needed

These are the basic differences between the way we log on, stay tuned to next week’s post where we will talk about the pros and cons of each one.

Signing off

Sim Greenbaum

Links

Tokens

Autho