Geek Answers Handbook

Login: Forex Information

What happens when you enter the site?

I know that cookies are stored and some information (what information?) Is sent to the server ... but maybe in more detail?

+7
authentication login
source share
8 answers

Sometime, somewhere on the Internet ....

  • Browser: “Hey, can I see this web page?”, The problem is that I don’t remember you speaking in front of you ”
  • Website: "be sure to fill out the form, I need your username and password"
  • Browser: "Here ya go"
  • Website: "Great! Welcome back, Coldfire! Here is the page. See if you want more pages, take this token and use it when you ask another"
  • Browser: Cool. This site gave me a token. I'll remember this!

In a few minutes

  • Browser: “Oh, can I see this other web page? Here is my token”
  • Website: "This token looks good, hello again coldfire, here is your web page"

This is essentially that. To remember that the user is logged in, he gives the user a token, which he must present with his next request. This is usually achieved by a server telling the browser to store this token in a cookie.

Performing deeper transport layer authentication

The method of transferring credentials to the server and the nature of the returned token differ depending on the authentication method used.

The simplest, HTTP Basic Authentication , is provided by most web server implementations. This causes the browser to open the familiar login dialog box. A token is simply your base64 username and password. Not particularly safe.

The server can also provide Digest Authentication , which avoids the transfer of actual credentials - instead, the client generates a hash of their credentials using the generated salt. It is designed to prevent intrusions and retries.

Deeper Application Level Authentication

For maximum flexibility and management, most sites prefer to implement authorization in the application layer rather than in the HTTP transport layer. This provides a wider selection of security options. Any site that requests credentials on a web page (and not in the browser login dialog box) uses its own authorization method.

User methods will be very different during their initial interaction, but they almost always result in a user being presented with a session cookie containing a randomly generated identifier. Then the browser automatically transmits a cookie with each subsequent request. The web application will check the cookie value to ensure that it is still valid.

You can also give permission to a trusted third party, as a rule, to provide some kind of service with one subscriber. In such cases, when you notice that the user is not authenticated, you refuse it from the authentication provider. They authenticate them, and they will be returned to you using some token that you check with the provider. Shibboleth is one example of this. You are also logged into this site using a similar method used by OpenID

Further reading

Here are some nice answers from a similar question

  • PART I: How to Enter
  • PART II: How to stay logged in - Inglourious Remember Me flag
  • PART III: Using Secret Questions
  • PART IV: Forgotten Password Functionality
  • PART V: Verify Password Strength
  • PART VI: much more - or: preventing attempts to enter the quick access system
  • PART VII: Common Brute Force Attacks

Other answers in this question provide even more links to round your education!

+51
source share

This is a pretty general question. What you do, in general, sets up some credentials with the site itself. If we take the simple version, you will enter a username and password; this means that you identify yourself on the website and then show him the secret that you and the website share that no one knows (we hope). This establishes you as a authenticated person with that username, and therefore we say that you authenticated yourself.

Once you do this, there are some design decisions that a website designer should make. most people don’t want to log in for each page, so the website wants to keep a little information, credentials, at your end. That means he can tell you still. Often, as you say, this is a cookie, which is nothing more than a tiny text file with a website URL. This file is stored in the browser.

On many websites, for example, for banking operations, you also want to ensure that data exchange cannot be intercepted by a third party. If so, you establish a secure connection using a protocol known as SSL or TLS. This addition to the basic connection is the exchange of information that sets up the session key. This session key is then used to encrypt messages. This usually happens before you change your username and password so that your password is never visible to an attacker.

Under the covers, when you establish a secure connection, the website sends a formatted data block called x509 certificate to your browser. This is another form of authentication; the certificate will be signed by the issuer (certification authority or "CA"), and the browser can use the stored data about the CA to guarantee the authenticity of the certificate.

+11
source share

It completely depends on the implementation of the website. Even the use of cookies is optional, but very common.

However, in most cases something similar happens:

  • You submit your username and password using the HTML form.
  • The server is looking for the appropriate user (using the database)
  • The server checks whether the password matches the password that is stored in the database with the user.
  • If the password is correct, the server will store what the user is currently active in the session. The identifier of this session is stored in a cookie, the actual data of this session (current user) is stored on the server under this identifier.

You are now logged in. You remain logged in for the remainder of the session:

  • When you request another page from the server, you send a cookie with the identifier sesison.
  • The server is loading the session using this identifier. In this session, the current user is saved, so the server knows that the user has registered.
+5
source share

When you access a website, your credentials are authenticated first. If your credentials match, then something is put into the session (on the server) to keep track of who you are, so you can access the data you need without having to log in again. This is clearly useless on the web server if the client cannot provide information about who he is for each request. Note that the “session” is usually fully supported on the web server, with the client only having a key that allows access to the session.

Remember that HTTP itself is a stateless protocol. The HTTP standard does not contain an HTTP request method to save or save any state between separate HTTP requests. Thus, the state is usually stored entirely on the server, and you just need a way for the client to determine which session the current HTTP request belongs to.

Two common ways to do this:

  • Use a cookie (e.g. Apache Tomcat uses a JSESSIONID cookie) to store some hashed authentication token that will successfully search for a web session or
  • Rewrite the URL so that each request has a session identifier added at the end of the request. However, using Apache Tomcat as an example, if cookies are disabled, the URL will be rewritten to complete with a string like " ;jsessionid=.... ". Thus, every request, every HTTP GET and POST (and the rest) ends with this line.

Thus, for each request that a client makes, a session identifier is provided to the web server, allowing a quick search of the state for this client, allowing HTTP to act as a protocol with state.

What information is sent to the server when logging in? Whatever information you specify on the login form. Some web servers also track the TCP / IP address from which the request came in order to avoid session capture attacks . Usually this is all the information that the server needs.

If you do not allow your browser to save cookies, you will have to log in to the web server each time you open the browser and first open the server’s web page. However, if you allow your browser to save cookies, then many servers allow you to save cookies (that is, not just use a cookie), so that every time you go to the server’s web page, the cookie saved will identify you so that You did not need to re-login. Here, the cookie will store enough information - often in an encrypted form that only the server can understand - to identify you. In this case, Cookie is not a simple session identifier.

+3
source share

It is very easy to explain what happens below:

What's happening?

  • Username
  • Password

What is going on inside?

  • Password converted to hash
  • The hash (password) is compared with a database table or directory service (if someone is wrong, it’s silly, the site will not save your password in clear text)
  • If authenticated, the Status Token is stored in the session and / or in the cookie.
    • This token can only contain status, login timestamps, your userId, userType (if any), etc.
    • This token is read and verified on every page that you access, if this page requires you to register as a specific type of user.
  • If authentication fails , you are redirected to the error page requesting re-entry.

What comes out

  • You redirect your personal profile page / page that you accessed, which checks you using a token.
  • In addition, a digital certificate may appear on the photo if you gain access to a banking site or other critically protected site.
+1
source share

There are two main methods of authentication on the Internet and several less popular methods that you should be aware of.

The first is HTTP authentication as defined by RFC 2617 . When you request a secure page, the server responds with a status code of 401 , signaling that you are not allowed access to the resource. In addition to this, it also sends a WWW-Authenticate header, which tells the browser how it wants you to allow yourself. The browser sees this status code and header and asks for your authentication information. When you enter them, your browser prepares them according to the specific authentication scheme specified by the server, and again requests a page, including the Authorization header with the prepared details. The server checks this data against its user database and either responds with another 401 (incorrect data) or a secure page with an accompanying status code of 200 to indicate success.

HTTP authentication is one of those ancient functions that browsers did not use to start and never improved. Because of this, it became much more popular when web developers themselves implemented authentication using cookies to preserve state. In this case, the user is provided with a standard HTML form. When the user enters their credentials into the fields and submits the form, the browser encodes it and sends it to the server in the same way as it encodes any normal HTML form. The server checks the credentials and, if they are legal, sets a cookie with a randomly generated identification number along with the corresponding database / file system record that recognizes this identification number as belonging to a specific user.

From now on, every request made by the browser to the server includes this cookie ID number as an HTTP header. The server recognizes the cookie, looks at the identification number and knows who you are. When you decide to log out, the server sends a response in which your browser should forget the identification number, after which you are another anonymous user.

A less common option is to use client SSL certificates. Many people are familiar with the idea of ​​using SSL for server authentication. A cryptographic key pair is created, signed by a trusted authority, and is used to confirm that the data sent originated from the key holder. However, many people are not aware of this, as it is that the client can verify their identity on the server. However, this is less convenient, since you need to carry your certificate with you if you want to use it on multiple machines.

Of course, there are variations and less well-known options, but they are the most noticeable.

+1
source share

As others noted, login procedures vary by implementation, but the main case (simple web application authentication) uses something like the following pseudo-code:

 function login(username, password) { user = db->get_user(username) if (user == false) { report_error("Unknown username") exit } if (user->password != hash(password)) { report_error("Incorrect password") exit } // User authenticated, set session cookie session->set_data('current_user', user->username) }

Of course, in most cases it becomes a little more attractive than this, but each login function starts its life, looking mostly like the one shown above. Now, if we add autoline ("remember me") to the mix, we get something like this:

 function login(username, password, remember_me) { user = db->get_user(username) if (user == false) { report_error("Unknown username") exit } if (user->password != hash(password)) { report_error("Incorrect password") exit } // User authenticated, set session cookie session->set_data('current_user', user->username) if (remember_me == true) { cookie_token = random_string(50) set_cookie('autologin_cookie', cookie_token, ONE_MONTH) // Finally, save a hash of the random token in the user table db->update_user(user, 'autologin_token', hash(cookie_token)) } }

Plus, the function of automatic login if a cookie is present:

 function cookie_login() { cookie = get_cookie('autologin_cookie') if (cookie == false) { return false } // Only for demonstration; cookie should always include username as well user = db->get_user_by_cookie(cookie) if (user == false) { // Corrupt cookie data or deleted user return false } // User authenticated, set session cookie session->set_data('current_user', user->username) return true }

NOTE. The above approach is not a “best practice” and it is not very safe. In production code, you should always include the user ID in the cookie data, use several levels of throttling, store data about failed and successful logins, etc. All of this has been removed to simplify the basic authentication structure.

In any case, I hope this is what you were looking for, koldfyre. I do not know your background, but if you do not know how sessions and cookies you should read them separately, and if you need more detailed information, just ask.

PS: You can also check the " Ultimate Website Authentication Guide " question for practical approaches

0
source share

Look, it’s a little difficult for you to give you much more information that you already have here; I do not know why you want to impose generosity on him. Cookies are just a little named information, and you can put whatever you like into it. For a session, you need some sort of session id. There are agreements for this, or you can do it yourself. No matter what you do, when you set a cookie, you leave some data lying in the user's browser, something like this:

 mydomain.com: mystuff: this is my stuff, by golly.

When you return, you will receive a cookie and receive it back.

If you want to see all the details of this protocol, see the Wikipedia article .

0
source share

More articles:


All Articles