Understand important web authorization techniques to enhance role-based authentication for any web application with popular techniques like Session & JSON Web Token (JWT)
Anuj Sharma
Last Updated Aug 29, 2024
Authorization is about validating the user's permission to access the resources, in case of failure HTTP code "403 Forbidden" is returned.
The client sends a username & password to the server. The server validates credentials against existing credentials stored in the DB
On successful authentication server generates a unique session id (signed) and stores session_id on the server.
The server sends back session_id which will be set as part of a cookie
HTTP OK 200 set-cookieAll subsequent HTTP calls include session_id and request as part of the COOKIE request header.
The server validates session_id as part of the cookie against the stored cookie if valid then authorize the user to process that HTTP request.
How to solve - The above problem can be solved using common caching like Redis where all the servers will store and access session_id from Redis cache.
Session-based authentications are prone to CSRF attacks. This can be prevented by using theX-CSRF-Token header.
Pros - Cookies can be secured using HTTP-Only, same-origin options along with a Set-Cookie header so that it can't be accessible through JavaScript code.
The client sends a username & password to the server. The server validates credentials against existing credentials stored in DB
On successful authentication server generates a unique Token, which contains data(payload) related to the user and signs that token.
This Token is sent back to the user as part of a successful HTTP response with the Authentication HTTP header
HTTP 200 OK Authentication: Bearer [Token]Users save this token in a cookie or local storage
The user sends this token along with API requests in subsequent requests as part of the Authentication header.
If the token is valid then the server authenticates that token and processes the API request.
Secret must be shared between servers so that the server can extract the user details.
In case of invalid Tokens(forgot password), requires a list of invalid tokens which makes a more sort of stateful kind.
Token-based authentications are prone to XSS attacks.
The token is not opaque and contains payload information, and this can be extracted from the token.
No sensitive information can be mentioned as part of the payload.
The generation of a new signature is essential a frequent intervals to avoid Resource Forgery attacks
Anuj Sharma
Last Updated Nov 16, 2024
A brief explanation of Cross-Origin Resource Sharing (CORS) concept to enable client application accessing resources from cross domain and HTTP headers involved to enable resource access.
Vivek Chavan
Last Updated Sep 15, 2024
You will get a clear understanding about working with any rest api and common concepts asked during interviews
Anuj Sharma
Last Updated Aug 29, 2024
Easy to understand 5 rules, that cover the behaviour of the "this" keyword in different contexts and helps you to master this keyword for any javascript interview.
Ram V
Last Updated Sep 20, 2024
Let's dive into how the function's bind method works to bind the context to any function and understand its internal workings by exploring bind method polyfill.
Anuj Sharma
Last Updated Sep 3, 2024
Most comprehensive frontend system design cheat sheet to help in approaching the system design interview in the best-structured way. Covered 7 most important frontend system design interview topics.
Anuj Sharma
Last Updated Aug 31, 2024
Understanding promise's methods is important to call APIs in parallel and it's an important concept to know for any machine coding interview.
© 2024 FrontendGeek. All rights reserved
