[ByteByteGo Daily] Password, Session, Cookie, Token, JWT, SSO, OAuth - Authentication Explained - Part 1

[reboottime]

Overview

This notes is extracted from Password, Session, Cookie, Token, JWT, SSO, OAuth - Authentication Explained - Part 1, By Alex Xu

There are three essential security steps when we use various of websites (or applications)

• Identify
• authentication
• authorization

[reboottime]

Authentication ways

Password Authentication

In this method, users enter their unique username and password combination to gain access to protected resources

• The limitation of using password based authentication:

  • user may forget his(her) password
  • using the same username/password on multiple websites
  • password based systems can be vulnerable to attack ( such as brute-force or dictionary attacks)

• To address above issues modern systems often implement additional security measures,

  • such as multi-factor authentication ( for example, one time password by email or message, google authentication code)
  • or use other authentication mechanisms (session-cookie, token based authentication) to complement or replace password-based authentication for subsequent access to protected resources.

[reboottime]

HTTP Basic Access Authentication

• The interaction flow

• Explanation to the interaction flow

  • The interaction flow can be explained as follows: during the third and fourth steps, the client prompts the user to provide their username and password. These credentials are then combined into a single string in the format of 'username:password.' Next, the string is decoded into the base64 format and sent to the backend via the HTTP Authorization Basic header in the subsequent request to the server, for example Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=.
  • On the server side, upon receiving the request, the encoded credentials are decoded and separated into the username and password components. The server then validates the username and password combination to determine whether the request is authorized or not.

• The pros and cons

  • The limitations: As you can imagine, there is an intermediate transition things between the server and the client. So if someone grabbed the username and password combination in Base64, the hackers can easily decode the username and password. Most website use TLS to encrypt data between the browser and server, but...
  • the pros: users do not have to input username and password for every request, compared with the password authentication

[reboottime]

Session-Cookie Authentication

Session-cookie authentication addresses HTTP basic access authentication's inability to track user login status.

• The interaction flow

• More about the session cookie
  • The server sends the session ID to the client as a cookie, typically with a Set-Cookie header.
  • Security:
    • Use the HttpOnly attribute to prevent access to cookie values via JavaScript.
    • Cookies that are used for sensitive information (such as indicating authentication) should have a short lifetime, with the SameSite attribute set to Strict or Lax. In browsers that support SameSite, this ensures that the authentication cookie isn't sent with cross-site requests

[reboottime]

References

1. https://blog.bytebytego.com/p/password-session-cookie-token-jwt
2. https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
3. Explain JWT token like I'm 6 years old