14 - Authentication

Question 1

process of verifying that someone is who they say they are

Answer 1

authentication

Question 2

reasons for authentication (3)

Answer 2

1. saving client-client data
2. customizing user experience
3. authorization/usage control

Question 3

• user’s browsing or activity history
• list of API calls

Answer 3

saving client-client data

Question 4

users have preferences and settings

Answer 4

customizing user experience

Question 5

• different permissions for admin and regular users
• limit API calls over a set period of time

Answer 5

authorization/usage control

Question 6

involves granting access to resources based on someone’s identity

Answer 6

authorization

Question 7

true/false

a user can be authenticated, but not authorized to access a particular resource

Answer 7

true

Question 8

what do we need for authentication (2)

Answer 8

1. credentials
2. authentication token or session id from the server

Question 9

an identity and an authentication factor

Answer 9

credentials

Question 10

used for subsequent requests that require authentication

Answer 10

authentication token or session id from the server

Question 11

servers remember users with the use of ___ or ____

Answer 11

cookies, sessions

Question 12

2 kinds of auth

Answer 12

1. token-based auth
2. session-based auth

Question 13

the __ gives out tokens to clients

Answer 13

authenticating server

Question 14

a string of data

Answer 14

token

Question 15

a generic medium of information

Answer 15

token

Question 16

true/false

tokens can either be signed or encrypted but not both

Answer 16

false, it can be signed, encrypted, both, or neither

Question 17

auth tokens are usually at least ___

Answer 17

signed

Question 18

a/an ___ message means that its origin can be verified

Answer 18

signed

Question 19

a/an ___ message means that only its intended recipient can read it

Answer 19

encrypted

Question 20

true/false

clients send an auth token with every request that needs authentication

Answer 20

true

Question 21

how does authentication using a token work? (4)

Answer 21

1. client logs in using credentials
2. client receives auth token
3. user sends the auth token instead of credentials
4. server validates the auth token

Question 22

how does session-based authentication work? (4)

Answer 22

1. client logs in using credentials
2. client receives a reference to the session
3. user sends the session ID with subsequent requests
4. server checks if session is still valid

Question 23

users use their ___ to maintain their logged in state in session-based auth

Answer 23

session ID

Question 24

what is the difference between session-based auth and token-based auth in terms of session info?

Answer 24

session-based auth: the server keeps all the session data

token-based auth: all session info can be kept in the token

Question 25

true/false credentials should be sent over the network as frequent/as much as possible to maintain their logged in status

Answer 25

false, it should be sent as little as possible since these are sensitive information

Question 26

small piece of data that the server sends to the user's browser via a header in the response message

Answer 26

cookie

Question 27

cookies are typically used by the server to tell if ____

Answer 27

2 requests came from the same browser

Question 28

uses for cookies (3)

Answer 28

1. session management 2. personalization 3. tracking

Question 29

types of cookies (2)

Answer 29

1. session cookies 2. permanent cookies

Question 30

this type of cookies have an expiry date and time set during its creation and are automatically deleted by the browser

Answer 30

permanent cookies

Question 31

this type of cookies don't have a specified expiry, they are deleted when the browser shuts down

Answer 31

session cookies

Question 32

true/false session cookies can be restored

Answer 32

true, it can be restored using a browser feature called session restoring

Question 33

true/false session cookies are practically permanent

Answer 33

true, it is because of session restoring

Question 34

cookies that are inaccessible via JS/DOM methods; they are only stored, and sent directly to the server

Answer 34

Secure/HttpOnly Cookies

Question 35

the things that cross-site scripting attacks want to steal

Answer 35

cookies

Question 36

in practice, what is the usual size limit for cookies?

Answer 36

~4KB

Question 37

2 options for storing data in the server

Answer 37

1. Main memory 2. Database storage

Question 38

options for token storage on client side (4)

Answer 38

1. browser sessionStorage 2. browser localStorage 3. cookies 4. a variable in a program/main memory

Question 39

forms of browser storage introduced in HTML 5 (2)

Answer 39

1. session storage 2. local storage

Question 40

data in local/session storage is associated with a/an ___

Answer 40

origin

Question 41

options for sending auth tokens to a server (3)

Answer 41

1. as a cookie 2. in the authorization header of a request 3. in the url

Question 42

how are auth tokens sent as a cookie

Answer 42

``` Cookie: auth_token = ```

Question 43

how are auth tokens sent in the auth header

Answer 43

``` Authorization: Bearer ``` *Bearer is an Authorization type

Question 44

how are auth tokens sent in the url

Answer 44

``` http://www.sample.com/dashboard?auth_token= ```

Question 45

which can store more data, a cookie or the web storage API's localStorage and sessionStorage

Answer 45

the web storage API's localStorage and sessionStorage can store more data

Question 46

in practice, which authentication method/s do web apps commonly use?

Answer 46

a combination of both token and session-based auth is used

Question 47

without this, a middleman can read the contents of all the messages that users exchange with a server

Answer 47

TLS (HTTPS)

Question 48

authentication tasks for server (2)

Answer 48

1. give out tokens to authenticated clients 2. verify validity of tokens sent by clients

Question 49

authentication tasks for client (2)

Answer 49

1. store the auth token received from server 2. send auth token to server again whenever necessary