Ways to authenticate and authorize web requests..

Authorization refers to rules that determine who is allowed to do what. Let’s take a Facebook login scenario. In there you definitely enter an username and password. In here the username is for authorization purposes. By providing an username facebook knows that you are a legal user and should provide privileges of entering and modifying your own Facebook account. So by providing a username, you have shown your authorization to access Facebook. But there is a remaining text field named password and you haven’t been able to enter your Facebook page. Why?

What if someone trying to use your username to access your profile? So how you tell Facebook that this is you and anyone else is just someone trying to mess things up. This where the value that additional text field named password come to show to provide an authentication.

Here how Wikipedia has defined authentication

Authentication is the act of confirming the truth of an attribute of a single piece of data claimed true by an entity

Authentication is simply a process. After finishing this process the thing/person(Facebook, Gmail, policeman etc.) who asked for the authentication can be certain that the thing/person is what/who it claims to be. Let’s take a Facebook login scenario again. After providing a username to say that you have authority to access Facebook then you must prove yourself that you are who you say you are. This is why Facebook asks for that password that only you know probably. This is similar to providing a with your NIC when a policeman asked for authentication. Same..!

These two words go together in web applications.

I surf the web usually with my smartphone. I usually fill certain work related forms, get articles related to academic stuff, download songs, login to facebook and etc using my phone too. I use the web application to scroll Facebook but not the app. There is a particular scenario that happens to me usually. Most of the times when I retry to go to my facebook timeline which I usually don’t log out says my “Session has expired”. Then I started to search about what is a session and how it works.

Before I tell why we need to have a session among ourselves let me give an overview how the Hypertext Transfer Protocol works (HTTP). All our interactions with the web are done using this protocol. In simple words, it’s like a language or set of rules to speak between two endpoints in the web. In here my phone browser and a remote FB server.
So usually as a client, I will request something(web page, button click) and that will be sent as an HTTP request to the server and according to that the server will send the HTTP response I need back using this protocol. This is how a basic client server interaction works using HTTP.
Well, there are 3 interesting aspects regarding this protocol.

HTTP is a stateless protocol → This means that the server and client are aware of each other only during a current request. Afterwards, both of them forget about each other. Due to this nature of the protocol, neither the client nor the browser can retain information between different requests across the web pages.

HTTP is connectionless too → This happens because HTTP is stateless. The connection will occur to send my request and will cancel the connection. Then as a whole new connection server will send the response back to me.

HTTP is media independent → Any type of data can be sent by HTTP as long as both the client and the server know how to handle the data content. It is required for the client as well as the server to specify the content type using appropriate MIME-type.(MIME stands for Multipurpose Internet Mail Extensions. It’s a way of identifying files on the Internet according to their nature and format. For example, using the Content-type header value defined in an HTTP response, the browser can open the file with the proper extension/plugin).

So that means even if I authenticate myself to Facebook once still, it won’t be enough because server forgets me after the first interaction. So that means I have to re-authenticate myself constantly. That means I have to send my credentials in the HTTP request header on each request. This is can be risky, because we make our credentials available in the header each time.
But the internet still runs on HTTP and we are not in a world that we constantly have to authenticate. So what does the trick?? This is where sessions comes to play.

Courtesy Google Images

A session can be defined as a server-side storage of information that is desired to last throughout the user’s interaction with the web site or web application.
When I first send the request to the server, the server notes my IP address/browser, stores some local session data, and sends a session ID back to the client. This will be stored in the server. Then I can send that same session ID back to the server on future requests.The server uses session ID to retrieve the data for the client’s session later, like a ticket given at a music concert. You will have to show the half of the ticket when you go outside and trying to come inside (but as sessions this can be stolen too). But above description says how a session can “remember” user after one authentication and authorization.

But sessions will expire after some time. This is because HTTP is stateless, it is hard for the server to know when a user has finished a session. Client deletes session cookies when the browser closes and there is another reason for that the server will usually clear old session ids which haven’t been used in a while. This is done as a security measure.These sessions are implemented by the programming languages like PHP. In PHP, there is a construct called session. But how does server send this session id to a user in a secure way?

So as we have an idea about session then let’s learn what cookies are.
Cookies are nothing but a small amount of information sent by a server to a browser and then sent back by the browser on future page requests.
a cookie’s data consists of a single name/value pair, sent in the header of the client’s HTTP GET or POST request
Cookies have many values such as authentication as it stores data about the client. Then user tracking and it will remember user’s likenesses and give a prominent place to those.
We get this cookie in the way that we got the session id. But the only thing is we have to enable cookies to be stored in our browser.
When the browser requests a page, the server may send back a cookie(s) with it. If your server has previously sent any cookies to the browser, the browser will send them back on subsequent requests.

Then there is a newer way of authentication using tokens.

Let’s get a brief idea before we go to details.
What is a token? A token is a piece of data that has no meaning or use on its own.
Well that’s just sad, isn’t it? But no when we use a token with a correct token handling system it will give a higher level of security for our systems.
But it has a simple theory
Token based authentication works by ensuring that each request to a server is accompanied by a signed token which the server verifies for authenticity and only then responds to the request. This is like signing your request with your signature.

The use of tokens has many benefits compared to traditional methods such as cookies.
The token is stateless: A token contains details about inside it and it has all the info to describe itself. It’s like a licensed messenger. This will free the server to store data about sessions. There is no need to keep a session store, the token is a self-contained entity that conveys all the user information. The rest of the state lives in cookies or local storage on the client side.

Decoupling: You are not tied to a particular authentication scheme like OAuth2. The token might be generated anywhere, hence your API can be called from anywhere with a single way of authenticating those calls.

Tokens have an expiration (in is represented by exp property), otherwise, someone could authenticate forever to the API once they logged in at least once. Cookies also have an expiration for the same reasons.

So this will provide a brief entry point to authentication and authorization of web requests. And read more technical articles on how to implement tokens to have a deeper understanding.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store