Authentication and Authorization 101: A Beginner’s Guide to Sessions, Cookies, JWT, SSO, and OAuth 2.0

David Lin
4 min readJan 5, 2023

--

Having dabbled a little in authentication and authorization recently, I want to share and explain some of the common technologies used in a way that is easy for other beginners to understand. Here we go!

1. Sessions

A Session is a way to track a user’s activity on a website or web application. When a user logs in to a website, a session is created for them. This session is then used to track the user’s activity on the website. For example, if a user adds items to a shopping cart on an e-commerce website, the session will track these items so that they can be displayed to the user when they view their cart.

Session identifiers, which are unique strings of characters that are stored on the user’s computer, are used to create sessions. The session identifier is sent back and forth between the server and the client with each request, allowing the server to identify the user and track their activity.

2. Cookies

Cookies are small pieces of data that are stored on a user’s computer by a website. Cookies can be used to track a user’s activity on a website and to store information about the user. For example, a cookie might be used to store a user’s login information, so that they don’t have to enter it every time they visit the website.

However, cookies have some limitations. They can be deleted by the user, and they can be accessed by any website that the user visits. This means that they are not suitable for storing sensitive information, such as passwords.

3. JSON Web Tokens (JWT)

JWT, or JSON Web Token is another technology that is used for authentication. A JWT is a type of token that is a JSON object containing information about the user, such as their name and email address. JWTs are signed using a secret key to ensure that the information cannot be tampered with.

JWTs are often used to authenticate users in single sign-on (SSO) systems, where a user can log in to multiple applications using the same set of credentials. They are also used in APIs to authenticate users and authorize them to perform certain actions. Tokens can be stored in a cookie or sent with each request in an HTTP header. They are generally more secure than cookies because they are signed and can be encrypted.

However, tokens can be stolen if an attacker is able to intercept them, and they can be used to impersonate a user if they fall into the wrong hands.

4. Single Sign-On (SSO)

SSO, or Single Sign-On, is a system that allows a user to log in to multiple applications using the same set of credentials. This can be a big time-saver, because the user doesn’t have to remember multiple sets of login information. SSO systems also reduce the risk of password reuse, which can be a security risk if a user uses the same password for multiple accounts.

5. OAuth 2.0

Finally, let’s discuss OAuth 2.0. OAuth 2.0 is a protocol that allows users to grant access to their resources (such as their email or social media accounts) to a third-party application, without sharing their login information with the third party. It is often used to allow users to log in to third-party applications using their social media accounts (such as Facebook or Twitter), or to allow third-party applications to access a user’s resources on their behalf (such as when a user gives a calendar app permission to access their Google Calendar).

OAuth 2.0 works by issuing access tokens, which are issued by the resource server (such as Google) and are used to access the user’s resources. The access tokens are typically short-lived, which helps to reduce the risk of them being stolen or misused.

Conclusion

Each of these technologies has its own use cases and limitations, and it’s important to choose the right technology for your specific needs. Whether you’re building a web app, a mobile app, or a desktop app, these technologies can help you protect your users’ sensitive information and provide a seamless experience for them.

Thank you for taking the time to read this! I hope that this article has helped you to gain a better understanding of these technologies and how they can be used to protect user data and provide a seamless experience for your users. If you have any questions or would like to learn more, please don’t hesitate to reach out.
To see what I’m working on, visit my
GitHub or my personal website.

--

--

David Lin
David Lin

Written by David Lin

Aspiring Software Engineer, building for a better future!

No responses yet