How does cookie based authentication work

Question

Can someone give me a step by step description of how cookie based authentication works  I ve never done anything involving either authentication or cookies  What does the browser need to do  What does the server need to do  In what order  How do we keep things secure   I ve been reading about different types of authentication and about cookies but I would like a basic description of how to use the two together- I ve only read that they are often used together but could not find a description of how

User · Answer

Cookie-Based Authentication  Cookies based Authentication works normally in these 4 steps-   The user provides a username and password in the login form and clicks Log In  After the request is made  the server validate the user on the backend by querying in the database  If the request is valid  it will create a session by using the user information fetched from the database and store them  for each session  a unique id called session Id is created  by default session Id is will be given to client  through the Browser   Browser  will submit this session Id on each  subsequent requests  the session ID is verified against the database  based on this session id website will identify the session belonging to which client and then give access the request  Once a user logs out of the app  the session is destroyed both client-side and server-side

User · Answer

I realize this is years late  but I thought I could expand on Conor s answer and add a little bit more to the discussion      Can someone give me a step by step description of how cookie based authentication works  I ve never done anything involving either authentication or cookies  What does the browser need to do  What does the server need to do  In what order  How do we keep things secure    Step 1  Client   Signing up  Before anything else  the user has to sign up  The client posts a HTTP request to the server containing his her username and password   Step 2  Server   Handling sign up  The server receives this request and hashes the password before storing the username and password in your database  This way  if someone gains access to your database they won t see your users  actual passwords   Step 3  Client   User login  Now your user logs in  He she provides their username password and again  this is posted as a HTTP request to the server   Step 4  Server   Validating login  The server looks up the username in the database  hashes the supplied login password  and compares it to the previously hashed password in the database  If it doesn t check out  we may deny them access by sending a 401 status code and ending the request   Step 5  Server   Generating access token  If everything checks out  we re going to create an access token  which uniquely identifies the user s session  Still in the server  we do two things with the access token    Store it in the database associated with that user Attach it to a response cookie to be returned to the client  Be sure to set an expiration date time to limit the user s session   Henceforth  the cookies will be attached to every request  and response  made between the client and server   Step 6  Client   Making page requests  Back on the client side  we are now logged in  Every time the client makes a request for a page that requires authorization  i e  they need to be logged in   the server obtains the access token from the cookie and checks it against the one in the database associated with that user  If it checks out  access is granted   This should get you started  Be sure to clear the cookies upon logout

User · Answer

A cookie is basically just an item in a dictionary   Each item has a key and a value  For authentication  the key could be something like  username  and the value would be the username   Each time you make a request to a website  your browser will include the cookies in the request  and the host server will check the cookies   So authentication can be done automatically like that   To set a cookie  you just have to add it to the response the server sends back after requests  The browser will then add the cookie upon receiving the response     There are different options you can configure for the cookie server side  like expiration times or encryption   An encrypted cookie is often referred to as a signed cookie   Basically the server encrypts the key and value in the dictionary item  so only the server can make use of the information  So then cookie would be secure   A browser will save the cookies set by the server   In the HTTP header of every request the browser makes to that server  it will add the cookies   It will only add cookies for the domains that set them   Example com can set a cookie and also add options in the HTTP header for the browsers to send the cookie back to subdomains  like sub example com   It would be unacceptable for a browser to ever sends cookies to a different domain

[authentication] How does cookie based authentication work?

Examples related to authentication

Examples related to cookies

Examples related to browser