📚Authentication & Authorization

What is Authentication & Authorization?

Sometimes when the client need to get the resources from the server. they need to verify permission of the access first but this is hard for server to know who you are because HTTP protocol is stateless so we need to make it be stateful.

There are many way to do this

1. Token base

2. Sesssion base

JWT is the one of the most token base way that we use to create the authentication system. This mechanism we did not necessary to store any session in DB but we generate token that contain the information of user and attach it to http header throughout the connection occur. Additionaly JWT is more secure. It prevent modification of user data in token from Man in the middle (MITM) because of everytime the data is changed the token will be changed.

Token Base

Advantage:

1. Everytime client access to server, instead of query token for verification and get user information but it is able to use JWT to get the user information.

2. the server does not need to store any information about token like a session in DB

Disadvantage:

1. If token was stolen , the hacker can be access by using your token ( prevent by encrypt token and https)

2. When we logout the JWT token still can use for access the server (prevent by using backlist to store list of jwt token that be logout It like the session base way to implement it with cache)

Conclusion

To make the authorization system is more secure, you need to integrate advantage of session base and token base in some part of implment .