Web Authentification Overview

up:: Web Development TK

1. User visits the site and enters username and password.
2. On submission, a request is sent to the server over HTTPS with the credentials in the body.
3. Server compares credentials to stored credentials (using a secure comparison). If invalid, return 403 Forbidden.
4. If valid, the server encrypts an access key into a JWT, sets it as an HttpOnly cookie with Secure, SameSite=Strict, and an expiration time, and sends it to the client.
5. Browser stores the cookie, automatically including it in subsequent requests to the server.
6. User makes API calls, and the JWT is sent in the cookie (or manually in the Authorization header if preferred).
7. Server validates the JWT on each request by verifying its signature and expiration.
8. Once the cookie or JWT expires, the user needs to log in again.

Other things to implement:

• Rate-limit login attempts to mitigate brute-force attacks.
• Encrypt sensitive data in transit by enforcing HTTPS using HSTS (HTTP Strict Transport Security).
• Use secure environment variables to store server credentials and JWT secret keys.
• Set a short expiration time for the JWT (e.g., 15 minutes) to limit the impact of a compromised token.
• Consider adding refresh tokens for seamless reauthentication without re-entering credentials.
• Validate user inputs on the server to prevent injection attacks.
• Implement CSRF protection if using cookies for authentication (e.g., SameSite, CSRF tokens).
• Log authentication events (e.g., logins, failed attempts, and token use) for audit and monitoring.
• Regularly rotate JWT secrets and revoke old tokens when secrets are updated.
• Ensure proper error handling to avoid leaking sensitive information in responses.
• Test the implementation for vulnerabilities, such as XSS, CSRF, and session fixation attacks.