Basic Authentication

Objectives

  • Describe & Draw authentication data flow.

  • Describe the role of "cookies"

  • Describe how cookies are used to create "sessions"

Classical Authentication

Client

Server

1. Client sends user/password

Classical Authentication

Client

Server

1. Client sends user/password

2. Server validates user/pass and upon success creates a cookie

Classical Authentication

Client

Server

1. Client sends user/password

2. Server validates user/pass and upon success creates a signed cookie

3. Server sends cookie

Classical Authentication

Client

Server

1. Client sends user/password

2. Server validates user/pass and upon success creates a signed cookie

3. Server sends cookie

4.
All further communication

involves the signed cookie

Classical Authentication

Client

Server

1. Client sends user/password

2. Server validates user/pass and upon success creates a signed cookie

3. Server sends cookie

4.
All further requests

send the signed cookie

5.

All further requests check the cookie

Cookies

Cookies are a piece of data which your browser AND server both store.

 

Cookies are used to identify the browser to the server.

Cookies

Servers create the cookie and sign it.

 

The cookie is sent to the client.

 

The client always sends the cookie back to the webserver for subsequent requests.

Cookies

This use of a cookie creates a "session".

Security Concern

Crucially: a client needs to be able to hold information that uniquely identifies it, but that could not be recreated by a 3rd party attacker.

 

Activity Break

Grab a mini-whiteboard and draw the authentication flow.

Activity Break

Now show your neighbor!

Activity Break

Now I'm going to do it!!

Looking Ahead

Questions:

 

What could go wrong?

How will we encrypt the important data?

Why is it safe to send username/password in the first place?

 

Step 1: POST

We have to send our server a username and password.

<form action="/login" method="POST">
    <input type="text" name="username">
    <input type="text name="password>
</form>
app.post("/login", function(req, res) {
    // req.body contains the un/password.
    // What are we gonna do?
});

Step 2: Encrypt

We never store plaintext passwords.

app.post("/login", function(req, res) {
    // add bcrypt
});

Step 3: Check Records

We never store plaintext passwords.

app.post("/login", function(req, res) {
    // add bcrypt

    // add Knex/pg/or other DB layer
});

Step 4: Cookie Session

We never store plaintext passwords.

app.post("/login", function(req, res) {
    // add bcrypt

    // add Knex/pg/or other DB layer

    // If bcrypt result && DB entry match, 
        // success -- create a signed cookie for the user
    // otherwise, 
        // failure -- send the user "incorrect password" message
});

Recap:

  • Describe & Draw authentication data flow.

  • Describe the role of "cookies"

  • Describe how cookies are used to create "sessions"

Questions?

Made with Slides.com