728x90
Handle user passwords
- Password should never be stored in plain text
- hashing: a one-way function transforms the password into hashed text which is good enough for validation without storing the actual password
HTTP authentication
1. If needed, server can send response with hander www-authenticate(provides scheme to use) with a challenge
2.
HTTP authorization schemes
- In the authorization request header, different schemes are allowed
Json web tokens(JWT)
- JWT gets popularity as a way yo generate authentication tokens
- JWT always has 3 parts with a dot in between
- header(algorithm and token type)
- payload(the actual contents)
- signature(the header+payload encoded, signed with server's private key)
- The 3 parts are encoded separately in based 64
JWT VS. session
- data stored in JWT and session cannot be tempered with at the client side
- with JWT token, data are kept on client side whereas
Cross-site threats
- cross-site scripting(xss)
- stored XSS
- reflected XSS
- DOM based XSS
- Cross-site request forgery(CSRF)
- if request origin of an action is not checked, a request could be made on a malicious site other than the expected site
728x90