0x361 Security



Authentication and authorization are different

  • authentication: verifying identify (401 Unauthorized)
  • authorization: verifying permissions (403 Forbidden)

Username/password scheme

stateful (i.e. session using cookie)

stateless (token using JWT/OAuth/…)

Basic Authentication

Stateless authentication. every request will have to send both username and password . Defined in RFC7617

Sessions based authentication

Session based authentication is a stateful method

The flow of session based authentication works as follows:

  • user submit login credentials (e.g: email, password)
  • server verifies the credential against the DB
  • server create a temporary user session
  • server issue a cookie with a session ID, the cookie will be stored on the client side and signed with a secret.
  • user sends the cookie with each request
  • server validates it against the session store & grants access
  • when user logs out, server destroys the session and clears the cookie


  • every user session is stored server-side (stateful). It can be saved in memory, cache or db.
  • each user is identified by a session ID (which is a random string), on the client side, it is stored in a cookie
  • Horizontal scaling is more challenging using cookie


  • cookie is a header (like Content-Type)
  • set with Set-Cookie HTTP response by server, appended with Cookie by client
  • consists of name, value (basically a map). typically will contain something like SESS_ID, but can contain other keys such as Domain
  • Domain and Path attributes can be used to specify a given site and route
  • Expiration can be used to expire cookie (when omitted, the cookie becomes a session cookie which will get deleted when browser is closed)
  • It also can have flags such as HttpOnly, Secure, SameSite


  • signed with HMAC to migrate tampering
  • rarely encrypted (if ever, by AES) to protect from being read
  • HttpOnly (flag) cookies disable access from client side script, therefore migrate risk of XSS exploits

Token based Authentication

Token-based authentication is a stateless method.

The typical token based authentication flow is as follows:

  • user submits login credentials and server verifies those
  • server generates a temporary token and embeds user data into it
  • server responds back with the token
  • user stores the token in client storage
  • user sends the token along with each request
  • server verifies the token and grant access
  • when logout, token is cleared from client storage.


  • tokens are not stored server-side, only on the client side
  • signed with a secret against tampering
  • typically sent in Authentication header
  • when is about to expire, it can be refreshed
  • used in SPA web apps, web APIS, mobile apps

JWT (Json Web Tokens)

JWT is an open standard for authentication and info exchange.

It contains header (meta data), payload (claims) and signature (signed with symmetric or asymmetric key) delimited by dot


  • signed with (HMAC)
  • rarely encrypted (JWE)
  • encoded (Base64Url) not for security but transport
  • server need to maintain a blacklist of revoked tokens


  • JWT can be stored in client storage, localStorage or SessionStorage
  • LocalStorage is domain-specific (5 MB per domain), plaintext, stored permanently