0

I'm trying to understand how does authentication happens on website. I'm not asking for code, I'm trying to understand the concept. When user comes to website for the first time, he/she logins and my server authenticate it. But when user moves to next page, as http is stateless, how does server know that current user is the same user who has logged in?

I've thought of couple of ways, which are as follows, but I'm not convinced that they will work flawlessly. To addon, they might not be efficient as well.

  • Send userid/password in every request - very bad design, as userid/password can be hacked!
  • Use cookies - again it has a flaw, that user can send the cookie to his/her friend then my server would be in ambiguous state :|

Is there a better way to authenticate users on subsequent request?

Note: I'm not allowed use https protocol as it is slower than http and there are some business reasons.

Abhishek
  • 6,912
  • 14
  • 59
  • 85

1 Answers1

0

You could use a token that holds how long the session should live. And that token will be send with every single request (that you want to use it with) and be verified @ server.

I think a good post about token is this one: What is token based authentication?

Community
  • 1
  • 1
Eduard.H
  • 1
  • Can a friend access the token from users computer (similar to cookies) or over the network? If yes, then this might not be useful either :|. I mean, let's say token is `abcd` then a hacker can send same token over the web request to server and mask user's identity, isn't it? – Abhishek May 04 '15 at 07:26
  • From the computer probably yes, if you use HTTPS then network should be safe. The token could contain the ip of the user, to make sure the same token cant be used from another network. – Eduard.H May 04 '15 at 07:35
  • If it is possible to copy from computer then it is not safe, similar to cookie. We can't use ip, as ip can be masked :|. Here I'm assuming user wants to crack/hack into my server. `https` is an option, but not the solution, right? Anyways, I can't use https for my problem :( – Abhishek May 04 '15 at 07:37
  • Im not sure how to prevent stuff being stolen from the users computer, short lifetime of the session is one alternative. I mean you cant prevent stuff getting stolen from a users computer, only the way from the computer to the server. And https should cover that – Eduard.H May 04 '15 at 07:56
  • The problem with https is that, they are expensive and slower. So, I can't use it. So, you mean there is no way, other than https, through which I can have secure connection? – Abhishek May 04 '15 at 08:33