Server & Browser Authentication

TL;DR

This guide explains how a server verifies who you are when you log into a website. It covers cookies, sessions, and basic security measures.

1. Understanding the Basics

When you enter your username and password on a website, that information needs to be sent securely to the server. The server then checks if it’s correct. But simply sending your password every time isn’t safe! Here’s how it works:

• Authentication: Verifying *who* you are.
• Authorisation: Checking *what* you’re allowed to do. This guide focuses on authentication.

2. The Authentication Process – Step by Step

1. Login Form: You enter your username and password into the website’s login form.
2. Data Transmission (HTTPS): Your browser sends this information to the server using a secure connection (HTTPS). Always look for the padlock icon in your browser’s address bar! This encrypts the data, preventing eavesdropping.
3. Server Verification: The server checks your username and password against its stored records.
4. Session Creation: If the credentials are correct, the server creates a session for you. Think of it like a unique ticket.
5. Session ID Cookie: The server sends a small piece of data called a session ID cookie back to your browser. This cookie doesn’t contain your password; it just holds a random identifier.
6. Cookie Storage: Your browser stores this session ID cookie.
7. Subsequent Requests: Every time you visit another page on the website, your browser automatically sends this session ID cookie back to the server with each request.
8. Server Session Lookup: The server uses the session ID to identify you and retrieve your session data (e.g., whether you’re logged in).

3. Cookies Explained

Cookies are small text files websites store on your computer. They’re used for various purposes, including:

• Session Management: As described above, to keep you logged in.
• Personalisation: Remembering preferences (e.g., language).
• Tracking: Monitoring your activity on the site (often used for advertising – be aware of privacy settings!).

You can manage cookies through your browser’s settings.

4. Server-Side Session Management (Example – PHP)

Here’s a simplified example of how session management might work in PHP:

Important: This is a very basic example. In a real-world application, you would use secure password hashing and proper database interaction.

5. Security Considerations

• HTTPS: Always use HTTPS to encrypt data in transit.
• Password Hashing: Never store passwords in plain text! Use strong hashing algorithms (e.g., bcrypt, Argon2).
• Session ID Security: Session IDs should be long, random, and unpredictable. Regenerate the session ID after login to prevent session fixation attacks.
• Cookie Flags: Set appropriate cookie flags:
  • HttpOnly: Prevents JavaScript from accessing the cookie (helps mitigate XSS attacks).
  • Secure: Only sends the cookie over HTTPS connections.
  • SameSite: Controls when cookies are sent with cross-site requests (helps prevent CSRF attacks).
• Session Timeout: Implement a session timeout to automatically log users out after a period of inactivity.
• Input Validation: Validate all user input to prevent injection attacks.

6. Two-Factor Authentication (2FA)

Adding 2FA significantly improves security. This requires users to provide two forms of identification, such as:

• Something they know (password).
• Something they have (code from an authenticator app or SMS code).