Code-Memo

a. Overview:

Session-based authentication relies on a server-side session that is established when a user logs in. The server creates a session and stores the session ID, which is sent to the client as a cookie. On subsequent requests, the client sends the session ID, allowing the server to retrieve the session and authenticate the user.

b. How It Works:

When a user logs in, the server verifies their credentials and, upon successful authentication, creates a session object. The server generates a unique session ID and stores it along with the session data in memory or a database. This session ID is sent to the client as a cookie.
For each subsequent request, the client sends the session ID in the cookie. The server uses the session ID to look up the session data and determine if the user is authenticated.

c. Pros:

d. Cons:

Not ideal for stateless or distributed architectures, as sessions need to be synchronized across servers.
Can lead to scalability issues, especially with large user bases, as session data is stored on the server.

e. Use Cases:

a. Overview:

Basic Authentication is a simple authentication scheme built into the HTTP protocol. It involves sending the user’s credentials (username and password) with every request, encoded in Base64, in the HTTP header.

b. How It Works:

The client sends an HTTP request with an Authorization header containing the word “Basic” followed by the Base64-encoded credentials (username:password).
The server decodes the credentials, verifies them, and, if valid, grants access to the resource.

c. Pros:

d. Cons:

Credentials are sent with every request, making it insecure unless used over HTTPS.
Requires the client to store the username and password, which can lead to security risks.
No support for logout, as credentials are stored by the client and sent on each request.

e. Use Cases:

API authentication in low-security environments where the simplicity of Basic Authentication is sufficient.
Internal services where traffic is secured through other means (e.g., VPN, internal networks).

a. Overview:

Token-based authentication is a stateless authentication mechanism where the server issues a token to the client upon successful login. The client then includes this token in the headers of subsequent requests for authentication. Tokens can be of various types, such as JWT (JSON Web Tokens), OAuth tokens, or custom tokens.

b. How It Works:

After the user successfully logs in, the server generates a token (often a JWT) and sends it to the client.
The client stores the token, typically in local storage or a cookie, and sends it in the Authorization header of each subsequent request.
The server validates the token on each request and grants access if the token is valid.

c. Types of Tokens:

JWT (JSON Web Tokens): A compact, self-contained token that includes information about the user and the expiration time, signed by the server.
OAuth Tokens: Used in the OAuth 2.0 framework for secure authorization across different services.

d. Pros:

Stateless, making it scalable and suitable for distributed systems.
Tokens can be easily shared across different services and domains.
Can include metadata like expiration times, roles, and permissions within the token itself.

e. Cons:

Token management (e.g., expiration, revocation) can be complex.
If a token is compromised, it can be used until it expires or is explicitly revoked.
Requires secure storage of the token on the client side to prevent XSS (Cross-Site Scripting) attacks.

f. Use Cases:

RESTful APIs where statelessness and scalability are important.
Microservices architectures where services need to authenticate users without maintaining session state.
Single Page Applications (SPAs) where the frontend handles authentication.