Vishal Sharma's Blog

Decoding Web Authentication: Understanding JWT, Sessions, Cookies

Decoding Web Authentication: Understanding JWT, Sessions, Cookies

Vishal Sharma's photo
Vishal Sharma
·

10 min read

Table of contents

In the intricate realm of web development, the foundation of secure and seamless user experiences lies in the art of authentication. As users navigate through the digital landscape, a sophisticated interplay of technologies ensures the protection of sensitive data. In this blog, we embark on a journey to unravel the core components of web authentication, exploring the roles played by Sessions, Cookies, and JSON Web Tokens (JWT).

Authentication

Imagine your digital space as a secure home, and you, as the owner, want to ensure that only trusted members gain access. In the realm of web development, this concept translates to authentication – the art of allowing only authorized users to enter your digital domain. Think of it as providing a unique access card to those you recognize and trust. When these cardholders (authentic users) approach the entrance (system), a vigilant security system checks their credentials, ensuring that only the rightful occupants are granted entry.

In the realm of web authentication there are two ways to give authentication and they are as follows:

  • Stateless Authentication

  • Stateful Authentication

Stateful Authentication

In Stateful Authentication, as the name suggests, we maintain the user's state in the database for future reference. You might wonder what this "state" entails. Well, the state encompasses crucial information about the signed-in user, such as the session ID and other relevant details. This stored information facilitates a seamless and secure user experience, allowing for efficient tracking and retrieval of user-specific data during their interaction with the system. When the user logs out the session is destroyed from the database.

Here is the basic follow to know about session-based authentication:

  1. User Login:

    • A user enters their credentials (username and password) and clicks the "Login" button.

    • The server validates the credentials against stored information in the database.

  2. Session Creation:

    • Upon successful validation, the server generates a unique session ID for the user.

    • This session ID is stored in the database, associating it with the user's account.

  3. State Maintenance:

    • Throughout the user's session, their activities, preferences, and other relevant data are stored in the database.

    • The server references the session ID to provide a personalized and tailored experience during the user's interactions.

  4. Logout or Session Expiry:

    • When the user logs out or the session expires, the corresponding session information is updated or removed from the database.

Advantages of Stateful Authentication:

  1. Session Persistence: Users can enjoy a continuous and personalized experience across multiple interactions without repeatedly entering credentials.

  2. Granular Control: The server can manage user-specific data efficiently, allowing for personalized content and targeted services.

  3. Enhanced Security: With the ability to track and monitor user sessions, it becomes easier to identify and mitigate potential security threats.

Disadvantages of Stateful Authentication:

  1. Scalability Challenges: Storing session information for numerous users can strain resources and impact scalability as the user base grows.

  2. Server Dependency: Users are reliant on the server's continuous availability, as their session information is stored server-side.

  3. Complex Implementation: Implementing and maintaining stateful authentication systems can be more complex compared to stateless alternatives, potentially leading to higher development and maintenance costs.

  4. Cross-Site Scripting (XSS): Cross-Site Scripting (XSS) is a security vulnerability that can affect web applications, including those using session-based authentication. XSS occurs when an attacker injects malicious scripts into web pages, and these scripts are then executed by the victim's browser, often leading to the theft of sensitive information such as session cookies.

Implementation of Session-based Authentication

To implement the session-based authentication in node.js based application we have to follow the steps. So first of all initialize a node.js app in your machine then install express and express-session in your application.

const express = require('express');
const session = require('express-session');

const app = express();

// Set up session middleware
app.use(session({
  secret: 'your-secret-key',
  resave: false,
  saveUninitialized: true,
  cookie: { secure: false } // Set to true for HTTPS
}));

// Sample user data stored in-memory (replace with a database in a real-world scenario)
const users = [
  { id: 1, username: 'exampleuser', password: 'password123' }
];

// Login route
app.post('/login', (req, res) => {
  const { username, password } = req.body;

  // Validate user credentials
  const user = users.find(u => u.username === username && u.password === password);

  if (user) {
    // Create session
    req.session.userId = user.id;
    res.send('Login successful!');
  } else {
    res.status(401).send('Invalid credentials');
  }
});

// Logout route
app.post('/logout', (req, res) => {
  // Destroy session
  req.session.destroy(() => {
    res.send('Logout successful!');
  });
});

// Example protected route
app.get('/dashboard', (req, res) => {
  // Check if the user is authenticated
  if (req.session.userId) {
    // Render dashboard or serve data associated with the user's session
    res.send(`Welcome to the dashboard, User ${req.session.userId}!`);
  } else {
    res.status(401).send('Unauthorized. Please log in.');
  }
});

// Start the server
app.listen(3000, () => {
  console.log('Server is running on port 3000');
});

Here if we break the code then we are using express-session middleware to handle session-based authentication. The express-session middleware has different arguments to be given while setting the middleware.

  1. secret :

    • This is a required option, and it represents the secret used to sign the session ID cookie. It's a security measure to prevent tampering with the session data. The secret should be a long and complex string. You should replace 'your-secret-key' it with a strong, unique secret.

  2. resave

    • If set to true, it forces the session to be saved back to the session store, even if the session was not modified during the request. Setting it to false is often more efficient, as it avoids unnecessary saves.

  3. saveUninitialized

    • If set to true, it forces a session that is "uninitialized" to be saved to the store. An uninitialized session is a new and not yet modified session. Setting it to false is often recommended to comply with laws regarding consent, as it avoids creating sessions for users who have not explicitly interacted with the site.

  4. cookie

    • The cookie option allows you to configure various settings related to the session cookie.

    • secure (optional, default: false): When set to true, the cookie will only be sent over HTTPS connections. It's recommended to set this to true in a production environment with HTTPS.

At the time of logout we destroy the session using req.session.destroy() and with that we can also delete the session id from the database.

Stateless Authentication

In Stateless Authentication we don't store any state in the database but instead, the backend sends an encrypted JSON Web Token to the frontend and browsers store them in local storage. So you might think what is this token and why do we need this?

Suppose there is a parking area (web app) and you want to park a car in that parking area so you need a parking slip (Token) which contains some information like car number and block to be parked. But then you might think then any user can replicate this car slip on their own but here is a catch, with the parking slip you also get a secret stamp (secret_key) on that slip which prevents any replication or change.

Advantages of Stateless Authentication

  1. Scalability:

    • Stateless authentication is inherently scalable because the server does not need to store the session state. Each request contains all the necessary information for the server to validate and process it.

  2. Reduced Server Load:

    • Since there's no need to store session data on the server, it reduces the load on the server. This can be especially beneficial in large-scale applications with a high volume of concurrent users.

  3. Simplified Architecture:

    • Stateless authentication simplifies the architecture by eliminating the need for a centralized session store. This can lead to cleaner and more straightforward code.

  4. Improved Performance:

    • Stateless authentication can result in improved performance, as the server doesn't need to perform frequent database lookups or maintain a persistent session state.

  5. Stateless Nature of HTTP:

    • HTTP is inherently stateless, and designing authentication in a stateless manner aligns well with the principles of the web. Each request contains all the information needed for authentication.

Disadvantages of Stateless Authentication

  1. Secret Key Lost : If the attackers get the access of the secret key then he can make or alters the token behalf of him and can make the things worse.

Things to Know Before Implementation

Before we implement the jwt based authentication in the node.js let's learn some basic methods which we will use with it. Here's an explanation of the three basic methods used with JSON Web Tokens (JWT):

  1. jwt.sign(payload, secretOrPrivateKey, [options, callback]):

    • This method is used to create a new JWT.

      Parameters:

      • payload: The data you want to include in the token, often user information or other claims.

      • secretOrPrivateKey: A secret key or private key is used to sign the token. This should be kept secret and secure.

      • options (optional): An object specifying additional options for the token, such as the algorithm used for signing.

      • callback (optional): A callback function to handle the asynchronous signing process.

    • Example:

        const jwt = require('jsonwebtoken');

  const payload = { userId: 123, username: 'john_doe' };
  const secretKey = 'your-secret-key';

  const token = jwt.sign(payload, secretKey);

  2. jwt.verify(token, secretOrPublicKey):

    • This method is used to verify the authenticity of a JWT.

      Parameters:

      • token: The JWT to be verified.

      • secretOrPublicKey: The secret key or public key used for verification. If you used a secret key to sign the token, you need the same secret key to verify it. If you used a public key, you use the corresponding private key for verification.

    • Example:

        const jwt = require('jsonwebtoken');

  const token = 'your-generated-token';
  const secretKey = 'your-secret-key';

  jwt.verify(token, secretKey, (err, decoded) => {
    if (err) {
      // Token verification failed
      console.error('Token verification failed:', err.message);
    } else {
      // Token verified successfully
      console.log('Decoded token:', decoded);
    }
  });

  3. jwt.decode(token):

    • This method is used to decode the contents of a JWT without verifying its signature.

      Parameters:

      • token: The JWT is to be decoded.

    • Example:

        const jwt = require('jsonwebtoken');

  const token = 'your-generated-token';

  const decoded = jwt.decode(token);
  console.log('Decoded token:', decoded);

These three methods, sign, verify, and decode, are essential when working with JWTs. They allow you to create tokens, verify their authenticity, and decode their contents. Remember to handle the secret or private keys securely and use appropriate algorithms for your application's security needs.

Implementation of JWT based Authentication

To implement JWT based Authentication in the Node.js first we have to initialize an empty node app in the machine. Then install some packages

npm install express jsonwebtoken

const express = require('express');
const jwt = require('jsonwebtoken');

const app = express();
const PORT = 3000;

// Replace this with your own secret key (keep it secret and secure)
const secretKey = 'your-secret-key';

// Middleware to verify the JWT on protected routes
const authenticateToken = (req, res, next) => {
  const token = req.header('Authorization');

  if (!token) return res.sendStatus(401); // Unauthorized

  jwt.verify(token, secretKey, (err, user) => {
    if (err) return res.sendStatus(403); // Forbidden
    req.user = user;
    next();
  });
};

// Sample user data (replace this with your user authentication logic)
const users = [
  { id: 1, username: 'john_doe', password: 'password123' },
];

// Route to generate a JWT upon successful login
app.post('/login', (req, res) => {
  const { username, password } = req.body;

  const user = users.find(u => u.username === username && u.password === password);

  if (!user) return res.status(401).send('Invalid credentials');

  const accessToken = jwt.sign({ username: user.username, userId: user.id }, secretKey);
  res.json({ accessToken });
});

// Protected route requiring authentication
app.get('/protected', authenticateToken, (req, res) => {
  res.json({ message: 'This is a protected route!', user: req.user });
});

// Start the server
app.listen(PORT, () => {
  console.log(`Server is running on http://localhost:${PORT}`);
});

The decryption of tokens is simplified on jwt.io, making it crucial for users to keep their tokens confidential. Sharing tokens grants unauthorized access to personal resources. Understanding the risks of token exposure is vital for robust authentication.

Share this insightful blog with friends to empower them with knowledge on securing their online presence. Stay informed, stay secure! Happy Coding.

100xdevsauthenticationJWTSessionlearningWeb Development