Client
Server
1. Client sends user/password
Client
Server
1. Client sends user/password
2. Server validates user/pass and upon success creates a cookie
Client
Server
1. Client sends user/password
2. Server validates user/pass and upon success creates a signed cookie
3. Server sends cookie
Client
Server
1. Client sends user/password
2. Server validates user/pass and upon success creates a signed cookie
3. Server sends cookie
4.
All further communication
involves the signed cookie
Client
Server
1. Client sends user/password
2. Server validates user/pass and upon success creates a signed cookie
3. Server sends cookie
4.
All further requests
send the signed cookie
5.
All further requests check the cookie
Cookies are a piece of data which your browser AND server both store.
Cookies are used to identify the browser to the server.
Servers create the cookie and sign it.
The cookie is sent to the client.
The client always sends the cookie back to the webserver for subsequent requests.
This use of a cookie creates a "session".
Crucially: a client needs to be able to hold information that uniquely identifies it, but that could not be recreated by a 3rd party attacker.
Grab a mini-whiteboard and draw the authentication flow.
Now show your neighbor!
Now I'm going to do it!!
Questions:
What could go wrong?
How will we encrypt the important data?
Why is it safe to send username/password in the first place?
We have to send our server a username and password.
<form action="/login" method="POST">
<input type="text" name="username">
<input type="text name="password>
</form>
app.post("/login", function(req, res) {
// req.body contains the un/password.
// What are we gonna do?
});
We never store plaintext passwords.
app.post("/login", function(req, res) {
// add bcrypt
});
We never store plaintext passwords.
app.post("/login", function(req, res) {
// add bcrypt
// add Knex/pg/or other DB layer
});
We never store plaintext passwords.
app.post("/login", function(req, res) {
// add bcrypt
// add Knex/pg/or other DB layer
// If bcrypt result && DB entry match,
// success -- create a signed cookie for the user
// otherwise,
// failure -- send the user "incorrect password" message
});