The Most Common Authentication Methods in Web Application Development.

When it comes to web or mobile app development, security is the key function to be concerned. The basic keywords engaged in this process is “Authentication” and “Authorization”. Authentication can be defined as the process of verifying someone’s identity by using pre-required details (Commonly username and password). Authorization is the process of allowing an authenticated user to access a specified resource (eg:-right to access a file). In this article we are going to discuss about the most common authentication methods available.

Cookie vs Token Authentication

Cookie based authentication is considered as stateful authentication method (Server based authentication). In here, it is needed to store authentication records in client side and server side both. Server basically keeps and maintains active session details in the data storage and front end cookie will be created to hold session identifier.

When considering about the flow of the cookie based authentication, we can summarize them as follows.

Ø Enter login credentials

Ø Server verifies given credentials, creates a session and stores in database.

Ø Cookie + Session ID will be kept in client side(User browser)

Ø For consequent requests, session ID will be verified against database.

Ø Session will be destroyed from client and server side once the use logs out.

The main disadvantage of using this authentication method is, server has to store all the session data for each and every user and increases the overhead in the server.

Token Based Authentication

This is the mostly used authentication methods which is suitable for single page applications, web APIs and for IOT development (JSON web tokens are mostly used-hope to discuss about it later). Token based authentication is defined as stateless and server does not keep records about the user logged in. But the token will be generated using credentials provided. The main advantage of token based authentication is client side and server side is decoupled for the authentication mechanism which can provide an uninterrupted workflow. No session information stored means simply your application can scale and add more machines as necessary without worrying about where the user logged in. The flow of the token based authentication can be concluded as follows,

Ø User provides credentials

Ø Server verifies credentials and returns a signed token.

Ø Token is stored in client side

Ø Subsequent requests to the server will be sent with the token as authentication header (HTTP header).

Ø Server verifies the token (JSON web token) and return required data.

Ø Token is destroyed in client, once the user logs out.

Token Based Authentication can be applied for Web API2 via OWIN (Owin — standard interface between .net web app and server which is used to decouple server and client). Usages of OWIN will be discussed later.