TIL — Understanding cookie based authentication

Establishing the identity of users is imoprtant for securing resources and personalizing experiences on websites. This is where the concept of authentication comes into play. While the mechanism seems straightforward from a user’s perspective — you log in, and you’re granted access — the underlying system is far more complex. Today we will dive into token based authentication.

HTTP: The Stateless Protocol

HTTP is designed to be stateless. This means each request from a client to a server is independent; the server doesn’t have any memory of past requests from that client. While this architecture has advantages in terms of performance and scalability, it poses a significant challenge for implementing secure and personalized experiences. In other words, HTTP does not understand the relationship between two requests out-of-the-box.

The Need for Authentication

Since HTTP is stateless, how does a server recognize that a sequence of requests comes from the same client and should have associated permissions? This is where authentication mechanisms come in.

Token-Based Authentication

One common approach to deal with the stateless nature of HTTP is using token-based authentication. When a user signs in with their credentials, the server validates them and, if they are correct, generates a token. This token, often known as an access token, is sent back to the client in the HTTP response.

How Tokens are Stored

Once the client receives the access token, it typically stores it in-memory or in some secure storage depending on the application’s requirements.

Subsequent Requests

For every subsequent request, the client attaches this token in the HTTP headers, usually under the Authorization field. When the server receives a request, it extracts the token and validates it. If the token is valid, the server proceeds to fulfill the request; otherwise, it returns an unauthorized error.

// Example of sending an authenticated request using JavaScript fetch API
fetch('https://api.example.com/resource', {
  headers: {
    'Authorization': `Bearer ${accessToken}`
  }
});

Advantages of Token-Based Authentication

1. Stateless: The server doesn’t need to remember the user’s authentication state, which aligns well with HTTP’s stateless nature.
2. Scalability: As tokens are stored on the client-side, the server is relieved from managing session states, making it easier to scale.
3. Security: Tokens can be designed to expire after a certain period, adding an extra layer of security.
4. Versatility: Tokens can be used across multiple services without requiring separate authentication, which is useful for microservice architectures.

Conclusion

Understanding the stateless nature of HTTP is crucial for implementing robust authentication mechanisms. Token-based authentication offers a way to work around the stateless limitation to provide secure and scalable solutions. By returning an access token on successful login and requiring that token for subsequent requests, you can maintain a secure communication channel between the client and the server.