Databases
StackOverflow2013
Postsdbo
POHow to do stateless (session-less) & cookie-less authentication?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow to do stateless (session-less) & cookie-less authentication?
    primarykey
    data
    text
    <p>Bob uses a web application in order to achieve something. And:</p> <ul> <li>His browser is on diet, therefore it does not support <strong>cookies</strong>. </li> <li>The web application is a popular one, it deals with a lot of users at a given moment - it has to <em>scale</em> well. As long as keeping session would impose <strong>a limit to the number of simultaneous connections</strong>, and, of course, will bring a non-negligible <strong>performance penalty</strong>, we might like to have a session-less system :)</li> </ul> <p><strong>Some important notes:</strong> </p> <ul> <li>we do have <strong>transport security</strong> (<em>HTTPS</em> and its best friends);</li> <li>behind the curtains, the web application delegates a lot of operations to <strong>external services</strong>, on current <strong>user's behalf</strong> (those systems do recognize Bob as one of their users) - this means that <strong>we have to forward them Bob's credentials</strong>.</li> </ul> <p>Now, how do we authenticate Bob (on each and every request)? Which would be a reasonable way to implement such a thing?</p> <ul> <li>playing <em>tennis</em> with the credentials via <strong>HTML form hidden fields</strong>... the <em>ball</em> contains the credentials (<strong>username &amp; password</strong>) and the <em>two rackets</em> are the browser and the web application respectively. In other words, we may transport data back and forth via form fields instead of via cookies. At each web request, the browser posts the credentials. Though, in the case of a <strong>single-page application</strong>, this may look like playing <em>squash</em> against a rubber wall, instead of playing <em>tennis</em>, as the <em>web form</em> containing the credentials might be kept alive the entire lifetime of the <em>web page</em> (and the server will be configured not to offer the credentials back).</li> <li>storing the username &amp; the password in the context of the page - JavaScript variables etc. Single-page required here, IMHO.</li> <li>encrypted token - based authentication. In this case, the log-in action would result in the generation of an encrypted security token (username + password + something else). This token would be served back to the client and the upcoming requests will be accompanied by the token. Does this make sense? We already have HTTPS...</li> <li>others...</li> <li>last resort: do not do this, store credentials in the session! Session is good. With or without cookies.</li> </ul> <p>Does any web / security concern come into your mind, regarding any of the previously described ideas? For example,</p> <ul> <li><em>time-outing</em> - we may keep a <strong>timestamp</strong>, along with the credentials (time-stamp = the time Bob entered his credentials). E.g. when <strong>NOW - timestamp > threshold</strong>, we might deny the request.</li> <li><em>Cross-site scripting</em> protection - should not be different in any way, right?</li> </ul> <p>Thank you a lot for taking the time to reading this :)</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USturdus-merula
    1. USturdus-merula
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POHow to do stateless (session-less) & cookie-less authentication?
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POHow to do stateless (session-less) & cookie-less authentication?
      1. USCamilB
      1. VTFavorite
    3. VO
      singulars
      1. POHow to do stateless (session-less) & cookie-less authentication?
      1. USturdus-merula
      1. VTBountyStart
    1. COYou could append a token to every URL. ASP.NET has a (legacy) mode to do that. This proves that it can work.
      singulars
      1. POHow to do stateless (session-less) & cookie-less authentication?
      1. USusr
    2. COWhere is everybody? :)
      singulars
      1. POHow to do stateless (session-less) & cookie-less authentication?
      1. USturdus-merula
    3. COI think you've got a pretty good idea of the options that are available. Trust your reasoning and decide yourself.
      singulars
      1. POHow to do stateless (session-less) & cookie-less authentication?
      1. USusr
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload