Basic Authentication
Objectives
-
Describe & Draw authentication data flow.
-
Describe the role of "cookies"
-
Describe how cookies are used to create "sessions"
Classical Authentication
Client
Server
1. Client sends user/password
Classical Authentication
Client
Server
1. Client sends user/password
2. Server validates user/pass and upon success creates a cookie
Classical Authentication
Client
Server
1. Client sends user/password
2. Server validates user/pass and upon success creates a signed cookie
3. Server sends cookie
Classical Authentication
Client
Server
1. Client sends user/password
2. Server validates user/pass and upon success creates a signed cookie
3. Server sends cookie
4.
All further communication
involves the signed cookie
Classical Authentication
Client
Server
1. Client sends user/password
2. Server validates user/pass and upon success creates a signed cookie
3. Server sends cookie
4.
All further requests
send the signed cookie
5.
All further requests check the cookie
Cookies
Cookies are a piece of data which your browser AND server both store.
Cookies are used to identify the browser to the server.
Cookies
Servers create the cookie and sign it.
The cookie is sent to the client.
The client always sends the cookie back to the webserver for subsequent requests.
Cookies
This use of a cookie creates a "session".
Security Concern
Crucially: a client needs to be able to hold information that uniquely identifies it, but that could not be recreated by a 3rd party attacker.
Activity Break
Grab a mini-whiteboard and draw the authentication flow.
Activity Break
Now show your neighbor!
Activity Break
Now I'm going to do it!!
Looking Ahead
Questions:
What could go wrong?
How will we encrypt the important data?
Why is it safe to send username/password in the first place?
Step 1: POST
We have to send our server a username and password.
<form action="/login" method="POST">
<input type="text" name="username">
<input type="text name="password>
</form>
app.post("/login", function(req, res) {
// req.body contains the un/password.
// What are we gonna do?
});
Step 2: Encrypt
We never store plaintext passwords.
app.post("/login", function(req, res) {
// add bcrypt
});
Step 3: Check Records
We never store plaintext passwords.
app.post("/login", function(req, res) {
// add bcrypt
// add Knex/pg/or other DB layer
});
Step 4: Cookie Session
We never store plaintext passwords.
app.post("/login", function(req, res) {
// add bcrypt
// add Knex/pg/or other DB layer
// If bcrypt result && DB entry match,
// success -- create a signed cookie for the user
// otherwise,
// failure -- send the user "incorrect password" message
});
Recap:
-
Describe & Draw authentication data flow.
-
Describe the role of "cookies"
-
Describe how cookies are used to create "sessions"
Questions?
Authentication Basics
By Tyler Bettilyon
Authentication Basics
- 1,603