Most engineers don’t understand how #authentication works. Here’s how it works in a few tweets, easy peasy! 👇
A user is authenticated if they carry with them a session token that is valid.
All of authenticating a user is boilerplate around this concept.
All of authenticating a user is boilerplate around this concept.
When a user registers, we save their username and password in a database.
We don’t store the password as-is because our database could get hacked. So we store a hash of it.
We don’t store the password as-is because our database could get hacked. So we store a hash of it.
A hash is a one way cryptographic transformation of the password.
By using this transformation to store and match passwords, we can be sure that the passwords will never leak. Because we don’t have them anymore. We’ve got a hash.
By using this transformation to store and match passwords, we can be sure that the passwords will never leak. Because we don’t have them anymore. We’ve got a hash.
On logging in, a user provides a username which can be public and their password. We hash it again, and compare it with the hash we stored on signup.
If it matches, we can be certain the user has the account password.
If it matches, we can be certain the user has the account password.
Sometimes this is not enough, so we ask users to confirm their email address too.
Once a user has confirmed their user & password. We now create a “session” for them.
Once a user has confirmed their user & password. We now create a “session” for them.
A session is like going to the waterpark and wearing a band. It helps you go on all the rides.
But when you leave the waterpark (logout), the session is no longer active.
But when you leave the waterpark (logout), the session is no longer active.
Logging a user in is as simple as handing them their temporary water park band. We call it a session token.
The user then wears it on their wrist. That’s storing the session token in a browser cookie.
It stays on the wrist until they leave. It’ll be sent with every request.
The user then wears it on their wrist. That’s storing the session token in a browser cookie.
It stays on the wrist until they leave. It’ll be sent with every request.
When the server gets a session token that is stored in the session table, VOILA! They can go on all the rides, they’re authenticated!
When they leave the park or logout. We just delete the session token from our database. That invalidates their session.
When they leave the park or logout. We just delete the session token from our database. That invalidates their session.
That’s authentication in a nutshell.
All the forms, login, register, forgot password, change password, etc
Just create or remove session tokens.
Or update the users password hash.
All the forms, login, register, forgot password, change password, etc
Just create or remove session tokens.
Or update the users password hash.
Let me know if you have any questions!
• • •
Missing some Tweet in this thread? You can try to
force a refresh
