Authentication

Question 1

• __________ is the process of verifying that someone is who they say they are.
• Involves granting access to resources based on someone’s identity.

Answer 1

Authentication

Question 2

Reasons for authentication

Answer 2

1. Saving client-client data
2. Customizing User Experience
3. Authorization / Usage Control

Question 3

True or False

Authentication and Authorization are the same. They are used in conjunction with each other.

Answer 3

False

Authentication and Authorization are related, but different concepts. They are used in conjunction with each other.

Question 4

True or False

Authorization can’t happen without authentication. A user can be authenticated, but not authorized to access a particular resource.

Answer 4

True

Question 5

What do we need for authentication?

Answer 5

1. Credentials
an identity and an authentication factor
e.g. username and password OR email and password authentication can be multi-factor
e.g one-time-pin sent through email or an app (aside from the actual password)
<br></br>
2. Authentication token or session id from the server.
used for subsequent requests that require authentication

Question 6

True or False

After a user logs in, they shouldn’t have to authenticate again.

Answer 6

False

After a user logs in, they shouldn’t have to authenticate again until they log out or the session expires.

Question 7

Servers ‘remember’ users with the use of ________ or sessions.

Answer 7

cookies

Question 8

2 kinds of auth

Answer 8

1. Token Based Auth
2. Session-Based Auth

Question 9

The authenticating server gives out tokens to clients.

Answer 9

Token-based authentication

Question 10

A ________ is a string of data.

Answer 10

token

Question 11

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey JzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpva G4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKx wRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Answer 11

Sample token

Question 12

________ can be used for things other than authentication (holding identity data, getting more auth tokens, etc.)
They are a generic medium of information

Answer 12

Tokens

Question 13

A 1. ________ message means that its origin can be verified. An 2. ________ message means that only its intended recipient can read it.

Answer 13

1. signed
2. encrypted

Question 14

True or False

Clients do not necessarily send an auth token with every request that needs authentication.

Answer 14

False

Clients send an auth token with every request that needs authentication.

Question 15

True or False

• The authenticating server issues tokens when clients log in.
• However, it doesn’t keep track of logged in users.
• The server only checks the validity of submitted tokens (not yet expired, untampered).

Answer 15

True

Question 16

• In ________________, the server keeps track of a list of active sessions. It gives logged in users a session id (usually in a cookie).
• Users use their session ID to maintain their logged in state as they use the web app.

Answer 16

Session-based auth

Question 17

Heavy lifting is done server-side. The ________ keeps all the session data.
<br></br>
vs. Token-based: all ‘session info’ can be kept in the token.

Answer 17

server

Question 18

True or False

Credentials are sensitive information and should be sent over the network as little possible.

Answer 18

True

Question 19

True or False

Tokens and Sessions can be revoked to terminate a logged in ‘session’ as needed.

Answer 19

True

Question 20

A _________ is a small piece of data that the server sends to the user’s browser via a header in the response message.

Answer 20

cookie

Question 21

• Browsers store this data and, until it expires, include it with all requests sent to the origin server
• Typically used by the server to tell if 2 requests came from the same browser.

Answer 21

Cookies

Question 22

Uses for cookies

Answer 22

• Session Management
• Personalization
• Tracking

Question 23

Types of Cookies

Answer 23

• Session Cookies
• Permanent Cookies

Question 24

Have an expiry date and time set during its creation. They are automatically deleted by the browser.

Answer 24

Permanent Cookies

Question 25

Don't have a specified expiry. They are deleted when the client (browser) shuts down.

Answer 25

Session cookies ## Footnote (However they can be be restored using a browser feature called session restoring)

Question 26

# True or False Because of session restoring, Session cookies are practically permanent, in practice.

Answer 26

True

Question 27

These cookies are inaccessible via JS/DOM methods. They are only stored, and sent directly to the server.

Answer 27

Secure/HttpOnly Cookies

Question 28

* aren’t really a third typeof cookie. * Session and permanent cookies can have the additional property of being secure.

Answer 28

Secure/HTTPOnly cookies

Question 29

# True or False Cookies are the things that cross-site scripting attacks want to steal. Like the Same-origin Policy, secure cookies are a security measure.

Answer 29

True

Question 30

The W3C spec for cookies doesn’t include a size limit. But in practice: _\_\_\_

Answer 30

~4KB

Question 31

# Token-Based vs Session-Based In session-based, heavy lifting is done _\_\_\_\_\_\_\_\_. The server keeps all the session data.

Answer 31

server-side

Question 32

Options for storing session data in the server

Answer 32

1. Main memory (in a running program) 2. Database storage

Question 33

Options for token storage on client side

Answer 33

1. Browser sessionStorage 2. Browser localStorage 3. Cookies 4. A variable in a program / main memory (if request is not handled by a browser)

Question 34

Session storage and Local storage are forms of browser storage introduced in _\_\_\_\_\_\_\_\_.

Answer 34

HTML 5

Question 35

# True or False Like cookies, data in local/session storage is not associated with an origin.

Answer 35

False ## Footnote Like cookies, data in local/session storage **is** associated with an origin.

Question 36

# True or False But usage of local/sessionStorage is not tied to a header like Set-Cookie or Cookie.

Answer 36

True

Question 37

Options for sending auth tokens to a server

Answer 37

1. As a cookie 2. In the Authorization Header of a request 3. In the URL

Question 38

* In _\_\_\_\_\_\_\_\_\_, all the session info can be kept in the token. It’s easy to scale horizontally. * Adding more concurrent users doesn’t add a proportional amount of load on the servers.

Answer 38

token-based

Question 39

Web Storage API’s 1. _\_\_\_\_\_\_\_\_\_ and 2. _\_\_\_\_\_\_\_\_\_can store more data than a cookie

Answer 39

localStorage sessionStorage

Question 40

* _\_\_\_\_\_\_\_\_\_\_\_ auth is becoming more popular because of the popularity of APIs, and the separation of back-end and front-end. * The authenticating server might be different from the web app server.

Answer 40

Token-based

Question 41

# True or False In practice, web apps commonly use only one of either token or session-based auth.

Answer 41

False ## Footnote In practice, web apps commonly use a **combination of both** token and session-based auth.

Question 42

* HTTP with _\_\_\_\_\_\_\_(HTTPS) is important for either implementation. * Without _\_\_\_\_\_\_\_, a middleman can read the contents of all the messages you exchange with a server, and can steal cookies, tokens, or credentials.

Answer 42

TLS

Question 43

Implementation: Simple Token-Based Auth

Answer 43

* Express JS * MongoDB/Mongoose JS * Json Web Tokens * Cookie Parser * bcrypt

Question 44

To Implement:

Answer 44

1. Sign Up 2. Log In 3. Restrict Dashboard page 4. Log Out

Question 45

# Authentication Tasks Server: Client:

Answer 45

Server 1. Give out tokens to authenticated clients (‘signing’ tokens) 2. Verify validity of tokens sent by clients Client 1. Store the auth token received from server 2. Send auth token to server again whenever necessary