4 Session cookie authentication
This chapter covers
- Building a simple web-based client and UI
- Implementing token-based authentication
- Using session cookies in an API
- Preventing cross-site request forgery attacks
So far, you have required API clients to submit a username and password on every API request to enforce authentication. While simple, this approach has several downsides from both a security and usability point of view. In this chapter, you’ll learn about those downsides and implement an alternative known as token-based authentication, where the username and password are supplied once to a dedicated login endpoint. A time-limited token is then issued to the client that can be used in place of the user’s credentials for subsequent API calls. You will extend the Natter API with a login endpoint and simple session cookies and learn how to protect those against cross-site request forgery (CSRF) and other attacks. The focus of this chapter is authentication of web-based clients hosted on the same site as the API. Chapter 5 covers techniques for clients on other domains and non-browser clients.
Definition
In token-based authentication, a user’s real credentials are presented once, and the client is then given a short-lived token. A token is typically a short random string that can be used to authenticate API calls until the token expires.