Login/Register
Is Basic Authentication a Session based authentication and why Jwt is more recommended?
Asked Answered
Solved basic-authenticationbearer-tokenjwt
K

2

6

I'm learning about Basic Authentication and Jwt Authentication with Java and Spring and I want to ask you if basic authentication is a session based authentication?

I know that in a session based authentication, when the client log in, a sessionId is stored in cookie on the client browser and after that when the client make another request, the server compares the sessionId with the data stored in the memory of the server. And also I want to ask you how is the sessionId sent from client browser to server? Is it sent in the header like a token or how?

And the last question is how the server validate the Jwt token? I know that in case of session authentication, the sessionId sent from client is compared with the data from the memory of the server. But what's happen in case of Jwt authentication? The token is sent with the header and I know that the server validate it and there is no data in the memory of the server. Then how the server compares the token? Any feedback will be apreciated! Thank you!

Kep answered 20/1, 2020 at 19:14 Comment(0)
L
7

if basic authentication is a session based authentication?
I know that in a session based authentication

well then why do you ask?

Actually - basic authentication means, that the user credentials(username and password) are sent in the Authorization http header

Authorization: Basic base64(username:password)

The server may or may not use a session cookie. Session cookie may be used with other authentication means or even without any authentication

how is the sessionId sent from client browser to server?

As a session cookie A session cookie is sent as an http header which browser treats as session-persistent

And the last question is how the server validate the Jwt token?

The JWT token should be signed. Note the token has usually 3 parts

header.body.signature

the header specifies a signature type (an asymmetric key or shared secret) and the signature is authenticated (signed or hmac-ed) header and content.

So - the server must validate the issuer, expiration and the signature.

So the server (service provider) doesn't need know the client's identity upfront. The service provider needs to know the issuer's (authentication service which issues the jwt token) public key or shared secret key.

After the jwt validation the service can assume the caller's identity based on the information in the jwt token.

why Jwt is more recommended?

It depends in the use case. (everything has its pros and cons)

I'd recommend using jwt in a distributed and/or microservice architecture. The service doesn't need to access the credentials or to authenticate the user.

Labialize answered 20/1, 2020 at 20:14 Comment(2)
Thank you for response. I want to ask you, in the case of JWT, the JWT is sent to client and there are no information on the server side. Isn't it? Then how does the server store the secrets for every user? I think it should store key/value pairs like this: user1/secret1, user2/secret2. Or how?Kep
What do you call "server" in this case? You may want to separate a "server" service providing resources (actually doing something) if the client provides a token, it is usually called a SP - Service Provider. Then there is an authentication service IdP - an Identity Provider issuing tokens. The identity provider needs to validate the user credentials (e.g. password, ..), then indeed it needs to have the user's secrets. However - NEVER store user passwords (plain or encrypted).Labialize
J
8

In the basic authentication we need to send the username and password for every request.
In the session authentication we will send username and password at initial request. Then from server response we get the session id which stores in browser and gonna use that for requests.
In the token authentication we will send username and password at initial request. Then from server response we get the token and gonna use that for requests.
hope u got it!!

Joktan answered 12/5, 2022 at 15:20 Comment(0)
L
7

if basic authentication is a session based authentication?
I know that in a session based authentication

well then why do you ask?

Actually - basic authentication means, that the user credentials(username and password) are sent in the Authorization http header

Authorization: Basic base64(username:password)

The server may or may not use a session cookie. Session cookie may be used with other authentication means or even without any authentication

how is the sessionId sent from client browser to server?

As a session cookie A session cookie is sent as an http header which browser treats as session-persistent

And the last question is how the server validate the Jwt token?

The JWT token should be signed. Note the token has usually 3 parts

header.body.signature

the header specifies a signature type (an asymmetric key or shared secret) and the signature is authenticated (signed or hmac-ed) header and content.

So - the server must validate the issuer, expiration and the signature.

So the server (service provider) doesn't need know the client's identity upfront. The service provider needs to know the issuer's (authentication service which issues the jwt token) public key or shared secret key.

After the jwt validation the service can assume the caller's identity based on the information in the jwt token.

why Jwt is more recommended?

It depends in the use case. (everything has its pros and cons)

I'd recommend using jwt in a distributed and/or microservice architecture. The service doesn't need to access the credentials or to authenticate the user.

Labialize answered 20/1, 2020 at 20:14 Comment(2)
Thank you for response. I want to ask you, in the case of JWT, the JWT is sent to client and there are no information on the server side. Isn't it? Then how does the server store the secrets for every user? I think it should store key/value pairs like this: user1/secret1, user2/secret2. Or how?Kep
What do you call "server" in this case? You may want to separate a "server" service providing resources (actually doing something) if the client provides a token, it is usually called a SP - Service Provider. Then there is an authentication service IdP - an Identity Provider issuing tokens. The identity provider needs to validate the user credentials (e.g. password, ..), then indeed it needs to have the user's secrets. However - NEVER store user passwords (plain or encrypted).Labialize

© 2022 - 2024 — McMap. All rights reserved.