Types of Web Authentication for Beginners part-1
Authentication verifies the identity of the user. Basically, most of the Web authentication scheme falls into two kinds stateless and stateful.
Stateful Authentication
If the webserver stores data in the server memory and uses it to identify the user as an always-connected client, the service is called Stateful. There are different types of Stateful Authentication.
1. Basic HTTP Authentication
Basic HTTP Authentication transmits credentials as user ID/password pairs encoded using base64. It is stateful authentication. The user submits login credentials (username and password)
HTTP authentication scheme
Authorization: <type> <credentials>
Authorization: Basic userid:passwordAuthorization: Basic QUFBQUFBQUF:CQkJCQkJCQkI=
The username and password are concatenated with a colon (:) in between and the whole thing is then encoded using the Base64 algorithm. For example, if the username is “AAAAAAAA” and the password is “BBBBBBBB” then the whole thing “AAAAAAAA:BBBBBBBB” is encoded using the Base 64 algorithm.
The server then gets the header value, decodes it to get the credentials, and grants access to the user if the credentials are correct.
Pros:
- It's simple to implement.
- Just one GET request to the server is needed to get the information, making the client slightly faster than more complex authentication methods.
Cons:
- SSL is slower to run than basic HTTP so this causes the clients to be slightly slower.
- The HTTP basic authentication scheme can be considered secure only when the connection between the web client and the server using HTTPS. If the connection is not HTTPS, then the scheme does not provide sufficient security to prevent unauthorized users to access the user data.
2. HTTP-Digest Authentication
Digest Authentication was designed as an improvement over the HTTP Basic Authentication. It attempts to solve many of the weaknesses of Basic authentication, specifically by ensuring credentials are never sent in clear text across the wire.
Digest Access Authentication Syntax
Hash1=MD5(username:realm:password)
Hash2=MD5(method:digestURI)
response=MD5(Hash1:nonce:Hash2)Pros:
- It is encrypted, making a non-SSL connection more secure than an HTTP Basic request that isn’t sent over SSL.
Cons:
- For every call needed, the client must make 2 requests which make the process slightly slower than HTTP Basic.
- HTTP Digest is vulnerable to a man-in-the-middle security attack.
- HTTP Digest prevents the use of strong password encryption, So it is vulnerable to rainbow attack
3. Cookie-based Authentication
Cookie-based authentication has been the common method for handling user authentication for a long time.
→The user submits login credentials (username and password)
→ Then Server verifies the credentials against the Database,
→ The server creates a temporary user session(random token) and issues a cookie with the Session ID, then creates a client authenticated session in memory or an internal database.
→ When a client tries to access the application the user sends the cookie with each request, the application tries to retrieve session data from session storage, checks if the session is valid and then decides whether the client has to access to the requested resource or not.
→ When the user logs out, the server destroys the session & clears the cookie.
Pros:
- Cookies work efficiently with singular domains and sub-domains.
- If HttpOnly Flag set True then It won’t let any javascript to access the cookie information.
- If the Secure flag is set as true then Session cookies can not be accessed over an unencrypted channel(HTTP).
Cons :
- Cookie-based authentication and the round trip is likely to take longer compared to decoding a token.
- Although cookies work efficiently with single domains and sub-domains, when it comes to managing cookies across different domains, it can get a little untidy.
In this article, I explained about types of stateful authentication basics. For Stateless authentication, part-2 will be published shortly! :)
