How does cookie based authentication work?

by

To expand on Conor’s answer and add a little bit more to the discussion…

Can someone give me a step by step description of how cookie based authentication works? I’ve never done anything involving either authentication or cookies. What does the browser need to do? What does the server need to do? In what order? How do we keep things secure?

Step 1: Client > Signing up

Before anything else, the user has to sign up. The client posts a HTTP request to the server containing his/her username and password.

Step 2: Server > Handling sign up

The server receives this request and hashes the password before storing the username and password in your database. This way, if someone gains access to your database they won’t see your users’ actual passwords.

Step 3: Client > User login

Now your user logs in. He/she provides their username/password and again, this is posted as a HTTP request to the server.

Step 4: Server > Validating login

The server looks up the username in the database, hashes the supplied login password, and compares it to the previously hashed password in the database. If it doesn’t check out, we may deny them access by sending a 401 status code and ending the request.

Step 5: Server > Generating access token

If everything checks out, we’re going to create an access token, which uniquely identifies the user’s session. Still in the server, we do two things with the access token:

  1. Store it in the database associated with that user
  2. Attach it to a response cookie to be returned to the client. Be sure to set an expiration date/time to limit the user’s session

Henceforth, the cookies will be attached to every request (and response) made between the client and server.

Step 6: Client > Making page requests

Back on the client side, we are now logged in. Every time the client makes a request for a page that requires authorization (i.e. they need to be logged in), the server obtains the access token from the cookie and checks it against the one in the database associated with that user. If it checks out, access is granted.

This should get you started. Be sure to clear the cookies upon logout!

More Related Contents:

  1. Set cookies for cross origin requests
  2. Handling Browser Authentication using Selenium
  3. Token Authentication vs. Cookies
  4. Why are cookies unrecognized when a link is clicked from an external source (i.e. Excel, Word, etc…)
  5. OWIN – Authentication.SignOut() doesn’t seem to remove the cookie
  6. Sending cookie session id with Swagger 3.0
  7. Google OAuth 2 authorization – Error: redirect_uri_mismatch
  8. Where to store JWT in browser? How to protect against CSRF?
  9. How do I uniquely identify computers visiting my web site?
  10. PHP Curl And Cookies
  11. PHP login system: Remember Me (persistent cookie) [duplicate]
  12. Asp.Net Forms Authentication when using iPhone UIWebView
  13. How can I extend ServiceStack Authentication
  14. What are the current cookie limits in modern browsers?
  15. Socket.IO Authentication
  16. Why is there an “Authorization Code” flow in OAuth2 when “Implicit” flow works so well?
  17. Forgot Password: what is the best method of implementing a forgot password function?
  18. How to use UrlFetchApp with credentials? Google Scripts
  19. how to implement login auth in node.js
  20. What is the purpose of a “Refresh Token”?
  21. What if JWT is stolen?
  22. How to get a JWT?
  23. Sending POST request with username and password and save session cookie
  24. What is the Authorized Javascript Origin for a webapp powered by Google Script?
  25. Login to website using python
  26. IIS7: Setup Integrated Windows Authentication like in IIS6
  27. CakePHP remember me with Auth
  28. How to use Windows Active Directory Authentication and Identity Based Claims?
  29. PHP authentication with multiple domains and subdomains
  30. Multiple IdentityServer Federation : Error Unable to unprotect the message.State

Leave a Comment