Skip to content

Instantly share code, notes, and snippets.

@halitbatur
Created July 15, 2024 07:08
Show Gist options
  • Save halitbatur/3b48e423913738cd05cbca9c804f2fbc to your computer and use it in GitHub Desktop.
Save halitbatur/3b48e423913738cd05cbca9c804f2fbc to your computer and use it in GitHub Desktop.
Discussion about Auth and Security

Discussion Questions on Authentication and Security

  1. Why is it important to secure a backend application, and what are some potential risks if it remains unsecured? Discuss how attaching data to a user identity can mitigate some of these risks.

  2. How does the use of tokens enhance the security of a web application? Explain the process of generating and using tokens for user authentication, and compare it with the use of plain email and password combinations.

  3. What are the benefits of using modern hashing algorithms for passwords compared to older methods? Discuss the role of salting in preventing attacks and the concept of an adjustable cost factor.

  4. Explain the steps that take place when a user signs in to a website. How is the authentication data handled and stored, and what are the implications of these storage locations on security and user experience?

  5. Differentiate between authentication and authorization. Provide examples of scenarios where both are necessary to ensure the security and privacy of user data in a web application.

  6. Which technologies are considered stateful and which are stateless? What are the differences between both, and what are the advantages and disadvantages of each in managing user authentication?

@NtokozoMitchell
Copy link

@Vuyo Ngwane,
@Koketso

  1. It is important because some backend applications contain sensitive data, so we need to to maintain user trust by securing these assets.
    Some of the risks of unsecure backend applications include breaches in the server and cyber attacks which can lead to clients’ data being accessed, breaking the CIA triad in a company.
  2. Security tokens allow a client app to access protected resources on a resource server. An access token is a security token issued by an authorization server as part of OAuth 2.0 flow. It contains info about the user and the resource of which it is intended to. Tokens offer a second layer of security and administrators have detailed control over each action and transaction in contrast to plain email and password combinations

3.Modern hashing algorithms like Bcrypt, Scrypt, and Argon2 enhance password security by incorporating salting, adjustable work factors, memory hardness, and resistance to various attacks. These algorithms ensure non-reversibility, meaning they produce fixed-length hash values from input data, making plaintext passwords unreadable in databases. Salting adds randomness and uniqueness to input data, thwarting precomputed hash attacks and making identical passwords yield unique hashes. Bcrypt, for example, features an adjustable cost factor, which increases the time needed to calculate a hash, thereby countering brute force and dictionary attacks. This adaptability ensures security keeps pace with computing advancements.

4.a User Sign-In
Input: User enters their username/email and password.
Submit: User submits the form.
b. Server-Side Processing
Receive: Server gets the submitted data.
Verify: Server checks if the username/email exists and if the password matches the one stored in the database.
c. Successful Sign-In
Create Session: If credentials are correct, server creates a session.
Set Cookie: Server sends a session token to the user's browser as a cookie.
d. Managing Authentication Data
Store Cookie: Browser stores the session token cookie.
Secure Cookie: Use secure settings (e.g., Secure, HttpOnly) for the cookie.
e. Using the Session
Validate: For each user request, server checks the session token from the cookie.
Expire: Sessions have an expiry time after which the user must log in again.
Logout: User can log out, ending the session by clearing the cookie and deleting the session on the server.
5.Authentication is verifying who the user is.
Example: Logging in with a username and password.
Authorization is determining what the user can do.
Example: Allowing only admins to access certain features.

Scenario Example: E-Commerce Site:

Authentication: Users log in with their credentials (authentication).
Authorization:
Regular customers can view product listings and make purchases.
Admins have access to order management and inventory control.
Developers can access APIs for integration.

6.Stateful Technologies
Examples: Traditional web applications with server-side sessions (e.g., PHP sessions, ASP.NET sessions).
The server keeps track of user sessions by storing session data. Users get a session ID, which is sent with each request.
Stateless Technologies
Examples: RESTful APIs, JSON Web Tokens (JWT).
The server does not store session data. Instead, each request carries all necessary information, typically through tokens.

Differences
Stateful
State Tracking: Server stores session data.
Session Storage: Requires server-side storage.
Example: Traditional web apps that remember user sessions.
Stateless
State Tracking: Each request is independent.
Session Storage: No server-side session storage needed.
Example: RESTful APIs where each request includes an authentication token.

Stateful Authentication
Advantages:
Simple to Implement: Easy for basic applications.
Easy Expiration Management: Simple session expiration and logout.
Disadvantages:
Scalability Issues: Harder to scale across multiple servers.
Server Load: More load on the server to manage sessions.

Stateless Authentication
Advantages:
Scalable: Easier to scale across multiple servers.
Less Server Load: No need for server to store session data.
Flexible: Tokens can be used across different services.
Disadvantages:
Token Management: More complex to manage token expiration and revocation.
Security Concerns: Tokens must be securely stored and transmitted.
Larger Requests: Each request may be larger as it includes all necessary information.

@Sharolinah-23
Copy link

Sharon Matjila
Tumelo Thinane
Simphiwe Ndlovu

  1. Securing the application is important because it helps handle important data and function. If you do not protect the app you may be vulnerable to problems like data breaches, data tempering and unauthorized access. Linking data to a user's identity reduces risks by making sure that only verified users can perform actions and access information. This setup helps prevent unauthorized access and allows for tracking user activities, which ensures accountability.

  2. Using tokens enhances web application security by enabling stateless authentication, reducing session-related attacks, and improving scalability. Tokens are typically short-lived and unique, minimizing the risk of replay attacks. They can be signed and encrypted, ensuring data integrity and confidentiality. Tokens also allow for granular access control with additional claims, providing fine-tuned permissions. They simplify session management and logout processes through easy invalidation. Additionally, tokens support single sign-on (SSO), improving user experience without compromising security. Overall, tokens offer a more secure, flexible, and scalable authentication and authorization method.

Generating and Using Tokens for Authentication:

User Login:
A user logs in using their email and password.
The server verifies these credentials.

Token Generation:
Upon successful authentication, the server generates a token (often a JSON Web Token or JWT).
This token includes encoded information such as the user’s ID, an expiration timestamp, and sometimes other claims.

Token Storage:
The token is sent back to the client (browser or mobile app).
The client stores the token securely, usually in local storage or a cookie.

Subsequent Requests:
For each subsequent request, the client sends the token in the Authorization header (commonly using the Bearer schema).
The server receives and verifies the token.

Token Verification:
The server checks the token’s validity, integrity, and expiration.
If the token is valid, the server processes the request; otherwise, it rejects it.

Comparison with Plain Email and Password:

Security: Tokens are more secure with features like signatures and encryption, and they can be short-lived, unlike plain credentials which can be reused if intercepted.
Statelessness: Tokens enable stateless authentication, reducing session-related attacks and improving scalability.
Reduced Attack Surface: Tokens are unique and often short-lived, minimizing replay attack risks.
Versatility: Tokens carry additional data (claims) for more flexible access control, unlike email and password combinations.
Simplified Logout: Tokens can be easily invalidated, making the logout process cleaner compared to session-based methods.

  1. Usually, when a person logs in to a website, the following actions happen:

Procedure for User Sign-in

User->>Website: Enter username and password
Website->>Authentication Server: Send authentication request
Authentication Server->>Website: Verify credentials
Website->>User: Provide access or deny login
Usually, a secure database or the authentication server stores the authentication data, which includes usernames and passwords. The following are the effects of the storage location on user experience and security.

Security: To assist isolate critical information and lessen the attack surface on the main website, authentication data can be stored in a secure database or on a different authentication server. This enhances security overall because the authentication data would not be compromised in the event of a breach of the main website.

  1. Password harshing are specialized mathematical functions that transform plain text passwords into unique, fixed-size outputs, known as hashes, which are then stored in databases. Through the use of techniques such as salting, adjustable work factors, and memory hardness, modern password hashing algorithms are designed to prevent attacks like rainbow tables and data breaches. Example line of code: Password hashing mixes a password with a unique value called a salt using a special function. This is done multiple times to make it harder for attackers to guess. Sometimes, extra memory is used to make it even more difficult and secure.

  2. Authorization is the process of granting or denying permissions and access rights to authenticated users or entities. It answers the question "What are you allowed to do?". Examples of authorization include:

Granting access to specific pages or features of a web application
Allowing certain actions (e.g., creating, editing, deleting content) based on user roles or permissions
Restricting access to sensitive data or functionality

Both authentication and authorization are necessary to ensure the security and privacy of user data in a web application. Authentication ensures that only legitimate users can access the system, while authorization ensures that each user can only perform actions and access data that they are permitted to.

  1. Stateful vs. Stateless Technologies:

Stateful: Maintain session state on the server, requiring less information per request.
Examples: PHP, ASP.NET, Ruby on Rails,

Stateless: Do not store session state, each request is independent and self-contained.
Examples: REST APIs, Node.js, Go,

Differences:
Scalability: Stateless systems are more scalable as any server can handle any request.
Reliability: Stateless systems are more reliable as they don't depend on server-side state.

User Authentication:
Stateful: Authentication info stored on server, easier session management but less scalable.
Stateless: Token-based authentication, more scalable but requires careful token security.
The choice depends on application requirements, scalability needs, and security considerations.

@MissAngelaKing
Copy link

MissAngelaKing commented Jul 15, 2024

Angela, Mpho, Lindokuhle, Pumlani

1.Securing a backend application is crucial for several reasons, primarily to protect both the application itself and the sensitive data it processes. Attaching data to a user identity can mitigate some risks by ensuring that actions and data access are tied to authenticated users, thus making it easier to track and manage user activities, and to implement fine-grained access control.

  1. Token-based authentication improves web app security by replacing traditional email/password combos with a process where:
    Users log in with email/password.
    The server verifies and generates a signed token.
    This token, stored locally, is used for future requests. Benefits over email/password:
    No need for server-side session storage.
    Scales better in distributed systems.
    Enhances security with expirations and claims.
    Versatile for different app contexts.
    Enables Single Sign-On (SSO) for seamless multi-service access.

  2. Using modern hashing algorithms for passwords offers significant security benefits compared to older methods:

    1. Security Strength: Algorithms like bcrypt, Argon2, and PBKDF2 are designed to resist brute-force attacks effectively.
    1. Resistance to Rainbow Tables: Salting ensures each password hash is unique, preventing attackers from using precomputed tables effectively.
    1. Adjustable Cost Factor: Algorithms allow tuning the computational expense of hashing, adapting security as computing power advances.

In summary, modern hashing algorithms enhance password security by resisting brute-force attacks, defeating rainbow table exploits with salting, and adjusting to future computational capabilities.

  1. User Enters Credential -The user navigates to the sign-in page and enters their credentials (usually a username/email and password).
  • Form Submission - The sign-in form is submitted to the server, typically via an HTTP POST request.
  • Request Handling - The server receives the sign-in request and extracts the credentials from the request body.
  • Input Validation - The server validates the input to ensure it meets the required format and checks for missing or malformed data.
  • User Lookup - The server searches for the user in the database using the provided username/email.
  • Password Verification - The server retrieves the hashed password stored in the database and uses a hashing algorithm to compare it with the provided password. This typically involves hashing the provided password with the same salt and comparing the result to the stored hash.
  • Authentication Success - If the credentials match, the user is authenticated successfully.
  • Session Creation - The server creates a session for the authenticated user. This can be done using cookies (e.g., setting a session cookie in the user's browser) or tokens (e.g., generating a JWT).
  • Session Storage - Session information is stored on the server side (for session cookies) or encoded within the token (for JWTs).
  • Response to User - The server sends a response back to the user, typically including the session cookie or token.
  • Client Storage - The user's browser stores the session cookie or token.
  • Redirection or Response - The user is redirected to a protected area of the website or the homepage, or the server provides a response indicating successful sign-in.
  • Subsequent Requests - For subsequent requests, the client includes the session cookie or token, allowing the server to recognize the authenticated user.
  • Session Management - The server continues to manage the session, checking the session cookie or token for each request to verify the user's identity.
  • Session Expiry - Sessions typically have an expiration time, after which the user needs to sign in again.
  1. _Server-side Sessions: _
    Session IDs: When a user logs in, a session ID is created and stored on the server. The session ID is then sent to the user's browser as a cookie.
    Session Storage: Sessions can be stored in memory, databases, or dedicated session stores like Redis.
    Security Measures: Session data should be protected by setting secure flags on cookies (e.g., HttpOnly, Secure, SameSite) and using HTTPS to prevent interception.
    _Client-side Tokens: _
    JWTs (JSON Web Tokens): Tokens can be used to authenticate users. These tokens are generated by the server and sent to the client, who stores them (usually in local storage or cookies).
    Security Measures: Tokens should be signed and optionally encrypted. They should have short lifetimes and be refreshed regularly. Storing tokens in local storage can expose them to XSS attacks, while storing them in cookies should be protected with the same flags as session cookies.
    _Implications for Security: _
    Protection Against Attacks:
    Brute Force Attacks: Hashing with a high iteration count (like bcrypt) makes brute-forcing passwords computationally expensive.
    SQL Injection: Use prepared statements and parameterized queries to prevent SQL injection attacks.
    Cross-Site Scripting (XSS): Sanitize all user inputs and use secure storage mechanisms for tokens and cookies.
    Cross-Site Request Forgery (CSRF): Implement CSRF tokens to protect against CSRF attacks.
    Data Breaches: Encrypt sensitive data and regularly audit and monitor access to the database.
    Implications for User Experience:
    _Performance: _
    Hashing Speed: Stronger hashing algorithms can slow down login processes, but this is usually negligible compared to the security benefits.
    Session Management: Efficient session management ensures fast and responsive user interactions.
    _Convenience: _
    Remember Me: Implementing a “Remember Me” feature can improve user experience but must be done securely (e.g., long-lived tokens with refresh mechanisms).
    Single Sign-On (SSO): Integrating SSO can enhance user convenience by allowing them to use a single set of credentials across multiple services.
    _Security Trade-offs: _
    Stronger Security vs. Usability: Implementing stronger security measures like multi-factor authentication (MFA) can slightly inconvenience users but significantly increases security.
    Token Expiry: Short-lived tokens enhance security but may require users to log in more frequently.

  2. Stateful Technologies
    Stateful technologies maintain state information between different interactions with the same client. This state can be stored on the server or a persistent medium. Common stateful technologies include:
    _Server-side Sessions: _
    HTTP Sessions: Server-side sessions store user information on the server and reference it using a session ID sent to the client. Examples include PHP sessions, Java Servlet sessions, and Express.js sessions in Node.js.
    _Databases: _
    Relational Databases: Databases like MySQL, PostgreSQL, and Oracle maintain state through persistent storage of data, which can be queried and updated over time.
    NoSQL Databases: Systems like MongoDB, Redis, and Cassandra also maintain state by storing data that can be retrieved and modified.
    _Application State Management: _
    In-Memory Data Grids: Technologies like Hazelcast and Apache Ignite store application state in memory across a cluster of servers, maintaining state consistency.
    Stateful Services: Microservices or other services that maintain state across requests, such as services using Spring Session for state management.

Stateless Technologies
Stateless technologies do not retain state information between client interactions. Each request from a client is independent and contains all the information needed to fulfill it. Common stateless technologies include:
_HTTP Protocol: _
HTTP Requests: The HTTP protocol is inherently stateless. Each request from a client to a server is independent, and the server does not retain any information about previous requests.
_RESTful APIs: _
REST (Representational State Transfer): RESTful APIs are designed to be stateless. Each API request contains all the information necessary for the server to understand and process the request.

_Stateless Authentication: _
JWT (JSON Web Tokens): JWTs are stateless tokens used for authentication. They contain all the necessary information (claims) and are signed to ensure integrity. The server does not need to store session data.
OAuth 2.0 Access Tokens: OAuth 2.0 can use stateless tokens for authorization. These tokens carry all necessary information and do not require server-side session storage.
_Function-as-a-Service (FaaS): _
Serverless Computing: Platforms like AWS Lambda, Google Cloud Functions, and Azure Functions are stateless by design. Each function invocation is independent, with no state retained between invocations.
Microservices:
Stateless Microservices: Many microservices architectures favor stateless services, where each service handles requests independently and relies on external systems (like databases) to manage state

_Advantages: _
Scalability: Stateless authentication scales easily because the server does not need to maintain session state.
Performance: Reduces server resource consumption, as no session management is required.
Decentralized Validation: Any server instance can validate the token, simplifying load balancing and horizontal scaling.
_Disadvantages: _
Token Revocation: Invalidating tokens (e.g., logging out users) is more challenging since the server does not store session state.
Security Risks: Storing tokens client-side (e.g., in local storage) can expose them to cross-site scripting (XSS) attacks.
Token Size: Tokens, especially JWTs, can become large if they contain extensive user information, impacting performance due to increased data transfer.

@Geraldmutsw
Copy link

Geraldmutsw commented Jul 15, 2024

@Geraldmutsw
@hunny-bee
@katmafalela
@LethuM2197

  1. A backend application is the heart of most digital services, handling sensitive data, business logic, and critical operations. Securing it is of outmost importance for several reasons: Backend systems often store and process sensitive user data like personal information, financial details, and intellectual property. A breach can lead to identity theft, financial loss, and reputational damage. Many industries have strict data protection regulations. Non-compliance can result in hefty fines and legal troubles. A data breach can severely damage a company's reputation, eroding customer trust and loyalty. By linking data to a specific user identity and implementing strong access controls, organizations can Implement robust authentication mechanisms (multi-factor authentication) to verify user identity. Granting users only the necessary permissions to access specific data and functionalities based on their roles and responsibilities. Protecting sensitive data by replacing it with non-sensitive placeholder values when not required.

  2. Tokens enhance web application security by providing a stateless and secure method for authentication and authorization. They contain encrypted user information and permissions, reducing server-side storage of session data and minimizing the risk of session hijacking. Tokens, like JSON Web Tokens (JWTs), are signed and encrypted, ensuring data integrity and confidentiality. Using tokens for user authentication enhances security by minimizing credential exposure. Users log in with email/password, server verifies, then creates and signs a token (e.g., JWT) sent to and stored on the client. For subsequent requests, the client includes the token in headers; server validates it before granting access. Tokens offer better security by reducing credential transmission, single-login convenience, and scalable, stateless authentication compared to plain email/password methods.

  3. It helps to slows down brute force attacks significantly compared to older algorithms, it is not vulnerable to attacks as it uses features like salting unlike older algorithms which used precomputed hash tables, it also ensures that passwords remain secure even as technology evolves. Salting is a technique where a unique, random value (the salt) is added to each password before hashing. It ensures that even if two users have the same password, their hashes will be different because each hash incorporates a unique salt, that also helps in reducing collision.

  4. User enters credentials, then the entered credentials are transmitted from the user's browser to the web server, upon receiving the credentials, the server retrieves the stored user's password from the database. If the password match, authentication is successful. If not, the user is denied access. Passwords are never stored in plain text in the server. Instead, they must be hashed using hashing algorithms and stored in the database. The implications of storing hashed passwords helps enhance security by ensuring that even if the database is compromised, the actual passwords are not immediately exposed. Users are not directly affected by password hashing, but they benefit from the increased security.

  5. Authentication: This verifies the user. It uses passwords, OTP, biometric info and any other information provided by the user. Example: By entering their unique login credentials, employees can access a secure intranet portal that allows them to view their work schedules, submit requests for time off, and update their contact information. Authorisation: Decides which resources a user may utilize. authorisation works through settings that are implemented and maintained by the organisation. Example: By using their assigned security token, employees can gain authorization to access a project management system that allows them to collaborate on tasks, track project progress, and communicate with team members.

  6. Stateless: Every transaction in a stateless protocol or system is handled independently. It is independent of any information from past exchanges. The system does not store session data; in order for a request to be processed and understood, it must contain all necessary information. Advantages: Simplicity: By processing each request separately, complexity is decreased. Scalability: It's simpler to handle large amounts of requests because there's no need to recall previous data.Disadvantages: Lack of personalization: The system is unable to deliver experiences that are tailored to individual users based on past interactions because it is unable to "remember" anything about past transactions. May require more data: This could result in larger data packets because each request must include all relevant information.
    6.1. Video Games
    Statefulness is crucial in video games. Every time you play, the game tracks your progress: your level, score, achievements, location, resources, etc. This information, the game’s ‘state’, is stored and can be retrieved the next time you play, allowing you to continue where you left off.

6.2. Digital Assistants
Digital assistants like Siri, Alexa, and Google Assistant often operate in a stateless manner. Each query is processed independently, with the system typically not storing information from one request to the next. For instance, if you ask Siri about the weather and then ask, “How about tomorrow?”, Siri won’t understand the context because the two requests are treated independently.

@Hophneylen
Copy link

Hophneylen commented Jul 15, 2024

@Hophneylen
@samuelthis
@thewesss

  1. securing a backend application is essential to protect sensitive data, maintain trust, comply with regulations, and prevent malicious activities. Attaching data to a user identity strengthens security by enforcing access control, increasing accountability, and enabling dynamic responses to potential threats.
  • Tokens enhance web application security by acting as temporary, encrypted credentials for user authentication and authorization. Unlike session cookies, tokens are stateless and don't require server-side storage, reducing the risk of session hijacking. Additionally, tokens can be easily revoked or expired, adding an extra layer of security in case of compromise.
  • When a user successful login with their email and password, the server generates a unique token containing encrypted user information and sends it to the client. This token is then included in subsequent requests, verifying the user's identity without repeatedly sending sensitive credentials. Unlike plain email and password combinations, which are vulnerable to interception, tokens offer enhanced security due to their temporary nature and encrypted payload.
  • The benefits are Increased Security, Resistance to Rainbow Table Attacks, Slow Hashing-This intentional slowness makes brute force attacks significantly more difficult and time-consuming.
  • The role of salting in preventing attacks is creating unique hashes for identical passwords, gives enhanced security for reused passwords and provides protection against rainbow table attacks.
  • An adjustable cost factor in modern hashing algorithms (like bcrypt, Argon2, and PBKDF2) determines the computational complexity of the hashing process. By increasing the number of iterations or rounds, the cost factor makes password hashing more time-consuming and resource-intensive. This enhances security by slowing down brute force attacks.
  • You type in your username and password on a website login page.
  • The website checks if what you typed matches what it has stored. This is usually in a database, but can be in other places too.
  • If it's a match, the website creates a special code (like a token or session ID) to remember you're logged in.
  • This code is sent back to your browser, usually stored in a cookie.
  • Every time you request a new page, your browser sends this code, proving you're still logged in.
  1. Authentication verifies a user's identity. Authorization determines what resources or actions the authenticated user is allowed to access.
  • Banking Application: Authentication confirms the user is legitimate; authorization ensures they can only access their own accounts.
  • Healthcare Portal: Authentication verifies the identity of a doctor; authorization grants access to patient records relevant to their care.
  • Online Shopping: Authentication logs the user in; authorization controls access to order history and personal information.
  1. Stateful technologies - keep information about a user’s interactions across multiple sessions.
  • Databases(SQL)
  • Stateful firewalls
  • Session-based authentication systems
    Stateless technologies- do not keep information about previous interactions. Each request is treated on its own.
  • RESTful APIs
  • Stateless firewalls
  • Token-based authentication systems (e.g., JWT)
    Difference...
    Stateful
  • keeps session data on the server. Each user session is tracked, allowing for personalized experiences.
  • More challenging to scale due to the need to manage session data across servers.
  • Less fault-tolerant as losing a server can result in lost session data.
    Stateless
  • Does not retain session data. Each request is independent, requiring all necessary information to be included in each request.
  • Easier to scale as each request can be handled by any server without needing to share session data.
  • More fault-tolerant since each request is independent and does not rely on previous interactions.
    Advantages of stateful
  • Security: More secure as session data is stored on the server, reducing the risk of token theft
  • User Experience: Provides a seamless and personalized user experience by retaining session data.
    Disadvantages
  • Harder to scale as session data needs to be shared across servers
  • Resource Intensive: Requires more resources to manage and store session data]-stateful-authentication).
    Stateless....
    Advantages:
  • Scalability: Easier to scale as each request is independent
  • Resource Efficiency: Less resource-intensive as no session data is stored on the server
    Disadvantages:
  • Security: Potentially less secure as all session information is stored in the token, which can be intercepted
  • Complexity: Can be more complex to implement securely

@Gracepinkie
Copy link

Sinethemba Zulu
Sakhile Motha
Nonhanhla Mazibuko

  1. It is important to secure an application because users may share their sensitive data such as financial information or personally identifiable information, securing the application ensures that this sensitive data is protected from online risks/threats such as unauthorized access to data, identity theft, scams, file loss, etc. Attaching a user identity to data will ensure that only authorized users can access the data that is associated with their identity. It also allows for the tracking and logging of user activity which will be helpful when investigating data breaches and threats.

  2. Token-based authentication enhances web application security by enabling stateless authentication, where the server does not store session data, reducing the risk of session hijacking. Tokens, usually JWTs, are generated upon user login with valid credentials and contain user information and an expiration time, signed with a secret key. These tokens are stored client-side and sent with subsequent requests in the Authorization header, allowing the server to verify and process requests without repeatedly exposing plain text credentials. Compared to plain email and password combinations, which increase exposure risk and require server-side session management, tokens offer a more secure and scalable solution, with a limited lifespan and easy invalidation enhancing overall security.

  3. Using modern hashing algorithms for passwords offers significant advantages over older methods,
    they incorporate multiple hashing rounds, which increases the time required to compute each hash, enhancing security.
    Salting plays a crucial role in password security by adding a unique, random string to each password before hashing.
    This practice ensures that even if two users have identical passwords, their resulting hashes will differ. Salts also defend against rainbow table attacks, as attackers would need to generate a new table for each unique salt, significantly increasing their workload.
    An adjustable cost factor allows for scalability in the hashing process. This factor determines the number of iterations the hashing function performs, making it more computationally expensive for attackers as hardware improves

  4. When a user signs in to a website, they provide their credentials (e.g., email and password), which are sent to the server for validation. If valid, the server generates a token (like a JWT) and sends it back to the client. The token is stored client-side, usually in local storage or cookies. This token is then included in the Authorization header of subsequent requests for authentication. Storing tokens client-side reduces server load and improves scalability but requires secure handling to prevent XSS attacks. Proper storage and security measures enhance user experience by enabling seamless, stateless authentication while maintaining data protection.

  5. Authentication is the process of confirming the identity of a user when signing in on an application. It is when a user is supposed to provide their username and password. Authorization is the process of checking whether a user whose identity has already been verified has permission to access data or do some action on the application. For example, In online banking, both authentication and authorization are necessary. A user may log in using their username and password and a user may need additional verification to perform a transaction

  6. Stateful technologies, like traditional server-side sessions, store session data on the server, maintaining a persistent state between client interactions. Stateless technologies, like token-based authentication (e.g., JWT), do not store session data on the server, instead embedding all necessary information within the token itself. The main difference is that stateful systems require server storage and management of session data, while stateless systems embed state within the token, reducing server overhead. Stateful authentication ensures greater control and security over session data but can be less scalable and more resource-intensive. Stateless authentication improves scalability and performance by offloading session management to the client, but it requires careful handling of tokens to prevent security risks like XSS attacks.

@thabiso-makolana
Copy link

thabiso-makolana commented Jul 15, 2024

Emihle
Ntandoyenkosi
Konanani
Thabiso

1.- Protecting Sensitive Data
-Preventing Unauthorized Access to not allow just anyone to have access
-Maintaining Trust so users know that their personal information is safe

2.Tokens make web applications safer by creating random tokens. When a user logs in, the server makes a special code for them. This code is stored securely on both the server and their device. It's used for future logins and actions, so the user doesn't need to type their password every time. Tokens have time limits for safety and can be canceled if there's a problem. They make it easier for users to keep using apps securely without having to remember and type their password repeatedly. Using passwords are easy to remember since they were created by the user.

3.Modern hashing algorithms, provide considerable security improvements over older methods like MD5 and SHA-1. These algorithms include features such as salting, resistance to brute-force attacks, memory hardness, and adjustable cost factors, all of which enhance password security. Salting ensures that password hashes are unique and prevents attacks using precomputed hashes. The adjustable cost factor allows the computational difficulty of hashing to increase alongside advances in hardware capabilities, thereby maintaining strong security over time.

  1. When a user signs in to a website, they provide their username/email and password, which are sent securely to the server. The server checks these credentials against stored, hashed passwords. If valid, a session is created, and a token or session ID is generated and stored on both the client (e.g., in a cookie) and server sides. This token allows subsequent access to protected resources without re-entering the password. Secure handling and storage of authentication data, including hashing passwords and using tokens, ensures both security against breaches and a smooth user experience

  2. Authentication verifies the identity of users, ensuring they are who they claim to be through methods like passwords or biometrics. Authorization determines what authenticated users can access or do within the application based on their roles or permissions. Both are crucial for securing user data in web applications: authentication ensures only legitimate users access the system, while authorization controls what actions and data each user can interact with, thus safeguarding privacy and maintaining security.

Example scenarios :
Login Page (Authentication):
Users authenticate with credentials (username/password) to access their account.
Proper authentication ensures only legitimate users can log in.
Two-Factor Authentication (2FA) (Authentication):
Combining password and OTP for enhanced security.
Adds an extra layer of protection against unauthorized access.
Role-Based Access Control (RBAC) (Authorization):
Different roles (e.g., user, admin) have varying permissions.
Admins can manage users, settings, and critical functions.
Resource-Level Authorization (Authorization):
Limiting access to specific data (e.g., user profiles).
Protects sensitive information and ensures privacy.
Privacy Settings (Authorization):
Allowing users to control who sees their content.
Empowers users while safeguarding their data.

  1. Stateful Technologies:
  • HTTP Sessions
  • Cookies with server-side storage

Stateless Technologies:

  • JWT (JSON Web Tokens)
  • OAuth Tokens

Stateful technologies maintain session data on the server, allowing for continuous client-server interactions with preserved state. In contrast, stateless technologies do not store session data on the server, relying on tokens or self-contained requests for each interaction. The choice between stateful and stateless depends on application complexity, scalability needs, and security requirements.

Pros for statefull:
They use the information they’ve saved to give customers what they want, which increases customer engagement.
Remember what the user was doing before and pick up where they left off, retaining useful information and improving the customer journey.
Secure apps save user login and session data, which protects important information.
Cons:
Developers have to work harder to keep state info, which makes it challenging to develop and maintain stateful apps.
Creating a stateful app is not an easy task. It’s hard to keep track of state info across instances.
Stateful apps use more resources, especially memory, and storage, which slows them down.
In the event of a loss, it is hard to get the application back to the way it was because you also have to recover the lost data.

Pros for stateless:
Stateless apps scale better because each request is processed separately. Adding more application instances without state consistency concerns improves load balancing and horizontal scaling.
Stateless applications require less state management logic, making them easier to design, create, and maintain.
Stateless applications don’t store state across requests, thus one failure doesn’t affect the others. System fault tolerance improves

cons for stateless:
Stateless apps must send all data with each request and response, which may increase overhead. Stateless applications may have lower performance and latency as they do not have to send all the data with each request.
Chat, gaming, and real-time collaboration apps require state management. These cases may not suit stateless architecture.
Stateful activities can complicate stateless apps. Developers must implement mechanisms for managing state across multiple requests, such as cookies, tokens, or databases to manage state across requests.

@Letagoeve
Copy link

@Nhlanhla-advocate @Letagoeve @mpilomthiyane97

1.A backend application must be secured for a number of reasons:

The Value of Backend Application Security:
-Data protection: Sensitive data, such as financial and personal information as well as confidential company information, is frequently handled by backend applications. This data is shielded against breaches and unwanted access by security measures.
-Integrity of Business Logic: Vulnerabilities in business logic can be exploited by insecure backends, giving attackers the ability to alter the intended functionality of the programme.
User Trust: Users anticipate the security of their data. A breach can undermine confidence, costing the company business and harming its reputation.

Potential Risks of an Unsecured Backend
-Data Breaches: Unauthorized access can lead to theft of sensitive data, resulting in financial loss and reputational damage.
-Injection Attacks: Attackers can exploit vulnerabilities to inject malicious code, compromising the application and its data.
-Service Downtime: Attacks can cause outages, affecting service availability and user experience.
Malicious User Activity: Unsecured systems may allow users to perform actions they shouldn’t, such as accessing or altering data without proper authorization.

2.Enhancing Security with Tokens
Process of Generating and Using Tokens for User Authentication:
-User Login: The user provides their credentials to the application, which is typically their email address and password.
-Verification of Credentials: The server compares the stored user data with the credentials. The server generates a token if it finds the request valid, if it’s invalid it lets the user know to input correct credentials.
Token Generation: JSON Web Tokens (JWT) and other standards are commonly used by the server to produce tokens. The token has the following contents:

Information or claims provided by users
-Time of expiration
-A signature
-Storage of Tokens: The client receives the token, which is often kept in a cookie or local storage.
Future Requests: The client appends the token to the HTTP headers for upcoming requests.
Token Verification: With every request, the server confirms the token's validity by examining its integrity and expiration. If valid, the request proceeds; if not, the server denies access.

Importance of Securing a Backend Application:
-Data Protection: Backend applications often handle sensitive data, including personal information, financial details, and proprietary business information. Security measures protect this data from unauthorized access and breaches.
-Integrity of Business Logic: Unsecured backends can lead to exploitation of business logic vulnerabilities, allowing attackers to manipulate the application's intended functionality. Like when hackers hacked banks and demanded a ransom in Bitcoin.
-User Trust: Users expect their data to be secure. A breach can erode trust, leading to loss of customers and damage to the brand's reputation.

3.Security Against Attacks:
-Brute Force Attack Resistance: Attackers are slowed down by modern algorithms, which makes brute force attacks more challenging and time-consuming.
-Protection Against Rainbow Tables: Precomputed hash attacks (rainbow tables) are rendered useless by the use of salts in advanced hashing algorithms.

Adaptive hashing:
With the support of an adjustable cost factor, modern algorithms (such as bcrypt, Argon2) enable the computational effort to grow with faster technology while preserving security over time.
Memory-Hardness: Some contemporary algorithms, like Argon2, are made to be memory-intensive, which causes additional challenges for attackers that have specialised hardware.

4.. Handling and storage of authentication data:

  • Password storage: Passwords are hashed and salts are added for security.
  • Session tokens: Tokens are stored securely and have expiration times.
    -Database security: Access controls and encryption are used to protect user data.
    Implications on security and user experience:
  • Security measures like encryption, hashing, and session management enhance security.
  • Ensuring a balance between security measures and user experience is crucial.

5.Authentication is verifying the identity of a user, like logging in with a username and password. Multi-Factor Authentication adds an extra layer of security, like a code sent to a phone. This confirms who the user is.

Authorization determines if an authenticated user can access resources, like different permissions for various roles or only accessing personal data. It controls access based on identity and permissions.

Both are necessary for scenarios like online banking, where users log in (authentication) to access account info (authorization). In healthcare, doctors can view records and patients can book appointments, both after logging in.
User roles in a content management system determine actions. In corporate intranets, employees have different access levels. E-commerce platforms use authentication for orders and authorization for managing customer data.
Both are crucial for security, privacy, and compliance with regulations like GDPR and HIPAA, protecting user data and limiting access.

6.Stateful technologies link user data or session information to a particular server instance by storing it on the server-side. Although this method has scalability issues and can result in session data loss in the event of a server crash or restart, it is simpler to deploy and manage user sessions. Cookies, server-side sessions, and session-based authentication are a few instances of stateful technology.

Conversely, stateless solutions are scalable and adaptable since they do not retain user data or session information on the server-side. Although this method is more difficult to set up and maintain, it provides greater flexibility and makes load balancing and failovers easier to handle. Stateless technologies include OAuth, API keys, and token-based authentication (like JWT). Stateless methods provide greater scalability and flexibility in user authentication management, however

@NokulungaM
Copy link

NokulungaM

  1. Securing a backend application is crucial to protect sensitive data, ensure regulatory compliance, maintain trust and reputation, and prevent unauthorized actions. An unsecured backend is vulnerable to data breaches, data manipulation, denial of service attacks, privilege escalation, and injection attacks. Attaching data to a user identity mitigates these risks by enabling access control, accountability, personalized security measures, data segregation, and effective session management, ensuring only authorized users can access and interact with the data and system functions securely.

  2. The use of tokens enhances web application security by enabling stateless, secure, and scalable user authentication. Tokens, typically JSON Web Tokens (JWT), are generated upon successful user login using a combination of email and password. These tokens contain encoded information about the user and are signed by the server. The client stores the token and includes it in the header of subsequent requests, allowing the server to verify the token's authenticity and authorize access without repeatedly querying the database. Unlike plain email and password combinations, which require persistent sessions and can be vulnerable to various attacks, tokens offer a more secure and efficient method by ensuring that sensitive credentials are not sent with every request and reducing the risk of session hijacking.

  3. Modern hashing algorithms for passwords, such as bcrypt, Argon2, and scrypt, provide enhanced security compared to older methods like MD5 or SHA-1 by being resistant to brute-force and rainbow table attacks. These algorithms incorporate salting, which adds a unique random value to each password before hashing, ensuring that identical passwords result in different hashes and preventing attackers from using precomputed tables to crack passwords. Additionally, they support an adjustable cost factor, allowing the hashing process to be made deliberately slow, which can be adjusted over time to counteract increasing computational power and further protect against brute-force attacks.

  4. When a user signs in to a website, the following steps typically occur: the user enters their credentials (email and password), which are sent to the server over a secure connection. The server verifies the credentials against stored hashed and salted passwords in the database. Upon successful authentication, the server generates a token, such as a JWT, and sends it back to the client. The client stores this token, usually in local storage or a secure cookie, and includes it in the headers of subsequent requests for authentication. Secure storage of authentication data on the server (hashed and salted passwords) and client (tokens) is crucial for protecting against unauthorized access and ensuring a smooth user experience by avoiding repeated logins. However, improper handling or storage can lead to security vulnerabilities like token theft or unauthorized access.

  5. Authentication verifies a user's identity, while authorization determines what resources and actions the authenticated user is allowed to access. Both are necessary for security and privacy in web applications. For example, in an online banking app, authentication ensures the user is who they claim to be by verifying their credentials. Authorization then ensures the authenticated user can only access their own account information and perform allowed transactions, not access other users' data or perform unauthorized actions.

  6. Stateful technologies, like traditional server-side sessions, store user authentication data on the server, while stateless technologies, like JWT tokens, store this data on the client. Stateful authentication keeps track of user sessions, allowing for centralized control and easy session invalidation but can become resource-intensive and less scalable. Stateless authentication, being client-side, is more scalable and reduces server load but can be harder to manage securely and invalidate. Each method has trade-offs: stateful provides better control and security at the cost of scalability, whereas stateless offers better performance and scalability with potential security challenges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment