Skip to content

Sessions and Authentication

Last week we looked at the HTTP protocol, and the mechanics of how the web works. This week we will continue looking at some of the protocols behind the web, how we keep track of users, and examine sessions and authentication.

The stateless design of the HTTP protocol, means that every request made is independent, with the protocol making no links between them1. This means that for anything needing state we need some way to keeping track of users.

Sessions allow us to do this by attaching a unique identifier (a session token) to all requests that sent to the server. When the server receives a new request, it can cross reference the session token, against its list of users to gain a better understanding of who has made the request.

While sessions give us some way of keeping track of users, we also need to confirm who they are. Authentication mechanisms are designed to allow us to confirm an users identity. For the second topic this week we will look at common authentication mechanisms, and how they can effect the security of a web service.

Topics

  • Authentication and Authorization
    • Overview of Authentication
    • Common authentication methods
  • Storing Stuff on the Client
    • Cookies
    • Other Client Side Storage
  • Keeping Track of Users
    • Stashing data in a Request
    • Sessions and Cookies
    • API tokens

  1. This is not strictly true for HTTP 2 or 3, but sessions are not going to go away quickly. 

Back to top