--- title: "How Authentication Works?" description: "The internet primarily communicates using the HTTP(S) protocol. However, this protocol is stateless (meaning it does not store states)." canonical_url: "https://otabek.io/blogs/how-authentication-works" md_url: "https://otabek.io/blogs/how-authentication-works.md" language: "en" last_updated: "2024-04-14" tags: ["Backend"] --- # How Authentication Works? The internet primarily communicates using the HTTP(S) protocol. However, this protocol is **stateless** (meaning it does not store states). Now, imagine that the internet is stateless—how does it know whether we are authenticated or not? Systems classify users in two categories: **authenticated users** and **unauthenticated users**. **Authenticated users** have logged in to the system, and because the system has information about these users, it recognizes them. **Unauthenticated users**, on the other hand, are users who haven't logged in. The system doesn’t have any information about them, and some actions may be restricted for them (since they are considered "anonymous"). But, given that the HTTP(S) protocol is stateless, how does the system know whether the user has logged in or not? ### Session Authentication When a user logs into the system using a **username/phone** and **password**, the system creates a unique **session ID** specifically for that user. This session ID is stored both on the server's database and in the user's browser. So, each time the user sends a request to the server, they send their session ID. If the server recognizes the session ID, it means the server knows the user is authenticated. If no such session ID exists, the system automatically **logs out** the user. If the user logs out, the server deletes the session ID associated with that user from its records. **Drawbacks:** - **Resource consumption**: If a user logs in from multiple devices at the same time, a separate session ID is created for each one. Now, imagine 1 billion users logging in from 3 devices each. - **Temporary**: Session IDs are temporary. If the user hasn’t logged in for a while, the system deletes the session, and when the user returns, they will see that they’ve been logged out and need to log in again. - And there are other reasons you can explore... ### Cookie Authentication When a user logs into the system, the server sends a special cookie to the user's browser (this is not the "cookie" you might be thinking of). A cookie is a small file (up to 4 KB in size) that is stored in the browser. - Every HTTP request is sent with the cookie, which increases the overall traffic size. - It is not entirely secure; cookies are vulnerable to CSRF (Cross-Site Request Forgery) attacks. - Cookies can store up to 4 KB of data. If you need more storage, this may not be the solution for you. In the second part of this post, I will write about **Tokens**, **JWT**, and **Passwordless authentication**. Stay tuned by following my [channel](https://t.me/otabekswe)! --- ```quiz { "quiz": { "id": "authentication-quiz", "title": "Authentication Quiz", "description": "Test your understanding of authentication methods", "questions": [ { "id": "q1", "type": "single-choice", "question": "Why does HTTP need special mechanisms for authentication?", "options": [ { "id": "a", "text": "HTTP is stateless and doesn't store information between requests", "description": "" }, { "id": "b", "text": "HTTP is too slow", "description": "Speed isn't the issue - HTTP is stateless, so it can't remember users." }, { "id": "c", "text": "HTTP only works with images", "description": "HTTP handles all types of data, but it's stateless." }, { "id": "d", "text": "HTTP doesn't support passwords", "description": "HTTP can send passwords, but being stateless, it needs auth mechanisms." } ] }, { "id": "q2", "type": "single-choice", "question": "Where is a session ID stored in session-based authentication?", "options": [ { "id": "a", "text": "Only on the server", "description": "Session ID is stored both on server AND in user's browser." }, { "id": "b", "text": "Both on the server and in the user's browser", "description": "" }, { "id": "c", "text": "Only in the user's browser", "description": "The server also needs to store it to verify the user." }, { "id": "d", "text": "In a separate authentication server", "description": "Basic session auth stores it on the main server and browser." } ] }, { "id": "q3", "type": "multiple-choice", "question": "What are drawbacks of session-based authentication? (Select all that apply)", "options": [ { "id": "a", "text": "Resource consumption with multiple devices", "description": "" }, { "id": "b", "text": "Sessions are temporary and expire", "description": "" }, { "id": "c", "text": "Sessions are completely secure", "description": "Sessions have security considerations like any auth method." }, { "id": "d", "text": "It's impossible to implement", "description": "Session auth is widely used and easy to implement." } ] }, { "id": "q4", "type": "single-choice", "question": "What is the maximum size of a cookie?", "options": [ { "id": "a", "text": "1 KB", "description": "Cookies can store up to 4 KB of data." }, { "id": "b", "text": "4 KB", "description": "" }, { "id": "c", "text": "1 MB", "description": "Cookies are limited to 4 KB." }, { "id": "d", "text": "Unlimited", "description": "Cookies have a 4 KB size limit." } ] }, { "id": "q5", "type": "single-choice", "question": "What type of attack are cookies vulnerable to?", "options": [ { "id": "a", "text": "CSRF (Cross-Site Request Forgery)", "description": "" }, { "id": "b", "text": "DDoS attacks", "description": "DDoS is a different attack type. Cookies are vulnerable to CSRF." }, { "id": "c", "text": "Physical theft", "description": "Cookies are digital. They're vulnerable to CSRF attacks." }, { "id": "d", "text": "Power outages", "description": "Cookies are vulnerable to CSRF, not physical events." } ] }, { "id": "q6", "type": "drag-drop", "question": "Arrange the session authentication flow:", "items": [ { "id": "login", "content": "User logs in with credentials" }, { "id": "create", "content": "Server creates session ID" }, { "id": "store", "content": "Session ID stored on server and browser" }, { "id": "send", "content": "Browser sends session ID with each request" }, { "id": "verify", "content": "Server verifies session ID" } ] } ] }, "answers": { "q1": { "correctOptionIds": ["a"] }, "q2": { "correctOptionIds": ["b"] }, "q3": { "correctOptionIds": ["a", "b"] }, "q4": { "correctOptionIds": ["b"] }, "q5": { "correctOptionIds": ["a"] }, "q6": { "correctOrder": ["login", "create", "store", "send", "verify"] } } } ``` ## Sitemap See the full [Markdown sitemap](/sitemap.md) for all pages.