Certification authority basis: distinction between Authentication, Authorization and Cookie, Session, Token

 

1. What is the difference authentication (Authentication) and authorization (Authorization) is?

This is a question most people would be confused. First, start up the pronunciation of understanding these two terms, many people will put Talia pronunciation confused, so I suggest you go look it up in the end how to read two words, what their specific meaning yes.

Simple point is:

• Authentication (Authentication): who you are.
• Authorization (Authorization): You have permission to do.

Slightly more formal point (long-winded point) argument is:

• Authentication (certification) is to verify your identity credentials (eg username / user ID and password), by this credential system to know that you are you, that you exist in this user system. So, Authentication is called identity / user authentication.
• Authorization (authorization) occurs after Authentication (authentication). Authorization Well, just look at the meaning we should understand, it is mainly in charge of our rights to access the system. For example, some specific resources can only people with certain privileges to access such as admin, some operating system resources such as delete, add, update only specific talents.

Both general in our system are used together, the purpose is to protect the security of our systems.

2. What is a Cookie? What is the role of Cookie? How to Use Cookie on the server?

2.1 What is a Cookie? What is the role of Cookie?

Cookie and Session session are used to track the identity of the browser user mode, but both scenarios are not the same.

Wikipedia is defined as the Cookie: Cookies are some Web sites to identify the user identity and data stored on the user's local terminal (usually encrypted). In simple terms: Cookie is stored on the client, usually used to store user information.

Here are some of Cookie Applications:

1. We store user information Cookie has logged in, the next time you visit the site when the page is automatically some basic information to help you log in to fill. In addition, Cookie can also save user preferences, themes, and other settings.
2. Cookie using saved session or token, when sending a request to the backend Cookie belt, so that the rear end of the session, or will be able to take the token. So the current state of the user can be recorded, because the HTTP protocol is stateless.
3. Cookie can also be used to record and analyze user behavior. To give you a simple example, when shopping online, because the HTTP protocol is stateless, if the server you want to get in a state of rest or a page of what looked merchandise, a common implementation is to store information in the Cookie

2.2 How to use the Cookie can do on the server?

This section Reference: https://attacomsian.com/blog/cookies-spring-boot, more in Spring how  to use the content of Cookie Boot can view this article.

1) set a cookie back to the client

@GetMapping ( "/ Change-username" ) public String setCookie ( HttpServletResponse the Response ) { // Create a cookie Cookie cookie = new new Cookie ( "username" , "Jovan" ); // set the cookie expiration time cookie . SetMaxAge ( 7 * 24- * 60 * 60 ); // the Expires in 7 Days // add to the response in response . addCookie ( the cookie );        return "Username is changed!"; }

2) using the Spring framework provides @CookieValueannotations to obtain the specific value of the cookie

@GetMapping("/")
public String readCookie(@CookieValue(value = "username", defaultValue = "Atta") String username) {  return "Hey! My username is " + username; }

3) read all values ​​Cookie

@GetMapping("/all-cookies")
public String readAllCookies(HttpServletRequest request) {   Cookie[] cookies = request.getCookies();  if (cookies != null) {  return Arrays.stream(cookies)  .map(c -> c.getName() + "=" + c.getValue()).collect(Collectors.joining(", "));  }   return "No cookies"; }

3. Cookie and Session What is the difference? How to use Session to authenticate?

The main effect of Session is the status of the user record by the server. A typical scenario is a shopping cart, when you want to add items to the shopping cart, the system does not know which user actions, because the HTTP protocol is stateless. After the server to create specific Session to a particular user can identify the user and tracks the user the.

Cookie data stored in the client (browser), Session data is stored on the server side. Relatively higher Session security. If you are using the Cookie Cookie sensitive information is not written, it is best able to Cookie information is then used to encrypt the time to go to the server to decrypt.

So, how to use the Session for authentication?

Many times we are to achieve a particular user by SessionID, SessionID generally choose to be stored in the Redis. For example: a user successfully landing system, and then returned to the client has the SessionID Cookie, when the user initiates a request to the backend SessionID will bring, so you will know the identity of the rear end of the state. About this authentication method in more detail as follows:

1. User sends the username and password used to log in to the server system.
2. After verification by the server, the server creates a Session for the user and stored Session information.
3. The server returns a SessionID to the user, the user writes the Cookie.
4. When the user remains logged, Cookie will be sent with each subsequent request.
5. When the server can be stored Session ID and stored in memory on the Cookie or Session information in the database are compared to verify the identity of the user, the user is returned to the client response information will be included with the current state of the user.

In addition, Spring Session provides a mechanism across multiple applications or instances to manage user session information. If you want to learn more about you can see below several very good articles:

• Getting Started with Spring Session
• Guide to Spring Session
• Sticky Sessions with Spring Session & Redis

4. What is the Token? What is JWT? How do based on Token for authentication?

We explored the use of Session to identify the user's identity on a problem, and gives several Spring Session of Case Studies. We know Session information you need to save a copy on the server side. This will give rise to some problems, such as the need to ensure that we save the Session Information Server availability is not suitable for mobile end (dependent Cookie) and so on.

Is there a way you do not need to store information Session authentication can be achieved it? Token can use! JWT (JSON Web Token) is achieved in this way, this way the server does not need to save the Session data, save only in the client returned from the server to the client Token can, scalability has been improved.

Signature on a piece of data in JSON format on JWT nature. As it is with the signature, so the recipient can verify its authenticity.

The following is a  RFC 7519  Dui JWT do more formal definition.

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted. ——JSON Web Token (JWT)

JWT consists of three parts:

1. Header: the JWT descriptive metadata. It defines the algorithm and the type of Token to generate the signature.
2. Payload (load): used to store the actual data transfer needs
3. Signature (Signed): server through Payload, Headerand a key ( secret) using a signature algorithm Header inside specified (the default is HMAC SHA256) is generated.

In the application authentication based on the Token, the server Payload, Headerand a key ( secret) creates a token ( Token) and  Token sent to the client, the client will be  Token stored in the Cookie or localStorage which, after all requests sent by the client I will carry this token. You can put it inside Cookie sent automatically, but this can not be cross-domain, so a better approach is to put in the Authorization HTTP Header field:  Authorization: Bearer Token.

1. User sends the username and password used to log in to the server system.
2. Authentication service response and return the signed JWT, above it contains the user who is content.
3. After the user each are put to the rear end of the transmission request in the Header JWT.
4. JWT server checks and to obtain user information.

Recommended reading:

• JWT (JSON Web Tokens) Are Better Than Session Cookies
• JSON Web Tokens (JWT) 与 Sessions
• JSON Web Token Start Tutorial
• A thorough understanding of Cookie, Session, Token

5 What is OAuth 2.0?

OAuth is an industry standard license agreement, mainly used to authorize third-party applications limited access permissions. OAuth and OAuth 2.0 is completely redesigned 1.0, OAuth 2.0 faster and easier to implement, OAuth 1.0 has been abandoned. For details, see: rfc6749 .

In fact, it is a kind of authorization mechanism, its ultimate goal is awarded to third-party applications have a token token timeliness of such third-party applications can obtain relevant resources by the token.

OAuth 2.0 the more common scenario is a third-party login, when you access the site when the third-party OAuth to log in general is the use of 2.0 protocol.

Recommended reading:

• A simple explanation of OAuth 2.0
• 10 minutes to understand what is the OAuth 2.0 protocol
• OAuth 2.0 in four ways
• Sign in GitHub OAuth tutorial examples

reference

• https://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4
• https://www.varonis.com/blog/what-is-oauth/
• https://tools.ietf.org/html/rfc6749