I respect your privacy. Unsubscribe at any time.
Almost every web application requires authentication and authorization.
And while it is true that not every web developer needs to build the utilities that handle them, if you don’t understand what’s going on behind the scenes you’re doomed to make a potentially disastrous mistake.
Whether you've got a team at your company that handles auth, you're using a third party service, or you're building it yourself, understanding authentication and authorization are critical to your success at keeping your user's data secure.
When I was at PayPal, we had a team that was responsible for managing authentication (thank goodness). It was a major black box for me so when it came time to add end-to-end tests to our application that required authentication. Some people would just stick the auth flow in front of all their tests and call it good. But that’s not good. That’s the path to slower and more flaky tests.
Instead, I took the time to learn about and understand how our app’s authentication worked so I could simulate that authenticated state in our test environment. I used utilities built by the authentication team to help through the process as well.
It’s your responsibility to learn and understand the whole stack. Not because you’re going to be working on it, but because you’ll be more capable of collaborating with those who do. That’s what staff-level engineers are expected do.
This is why the Authentication Strategies & Implementation workshop on EpicWeb.dev is so vital. It's a whole 21 exercises long covering a wide variety of tools and techniques that you need to understand to implement auth in your web application. Topics like cookies, sessions, passwords, permissions, verifications, and oauth are all there.
HTTP Cookies have been around since the very beginning of the web. They were invented to solve the problem of state management in web applications. Cookies allow websites to store small pieces of data on a user's device which is then sent along with every request to the server. This enables the server to maintain session information and remember user preferences across different interactions.
Cookies have become a fundamental part of web browsing and online user experiences, facilitating various functions such as session management, tracking user behavior, and personalization. However, due to privacy concerns, the use of cookies has evolved, and modern browsers provide users with more control over cookie settings, including options to block or delete cookies. Despite this, the most secure solution for managing user sessions is still to use cookies 🍪
Honestly, if your web-based application is using anything else for user authentication information, it's very possible you've got some security vulnerabilities. At OWASP's NZDay conference, Security Specialist Mike Haworth gave a talk titled "HTML5." Among the great security related information in his slides, you'll find:
sessionStorage for session cookie? • Obviously sessionStorage is accessable by JS – Therefore session token theft by XSS is possible. – Cookie w/ HTTPonly flag set is not accessible by JS • Use Cookies with HTTPOnly for session tokens • Don't store sensitive info in browser storage
And this has not changed since his talk in 2011. Steer clear of using localStorage
or sessionStorage
for storing sensitive data like user sessions.
Understanding web authentication and authorization is an important part of web security (it's one of OWASP's Top Ten which "represents a broad consensus about the most critical security risks to web applications"). Having a clear understanding of web auth will help you avoid making simple mistakes in your implementation.
To gain even more perspective, you’ll definitely want to check out the bonus interviews with Auth0’s Will Johnson, PlanetScale’s Iheanyi Ekechukwu, and creator of the remix-auth library Sergio Xalambrí. Each of these developers bring their own perspectives on the past, present, and future of authentication and authorization.
– Kent