Pay at Paypal with a credit card MacAvon Media Home




Authentication and Authorization on the Web

Nigel Chapman and Jenny Chapman

Published by MacAvon Media, 246 pages.

ISBN13: 978-0956737-05-2, ISBN10: 0-956737-05-6

Authentication and authorization cover

A short book in the Web Security Topics series, intended for Web developers. Provides a detailed description of setting up, managing and maintaining the security of user accounts in Web applications. Covers secure storage of passwords, authentication of users’ identities, and methods of authorization for restricting the operations that users may perform. Includes code examples in JavaScript/Node.js, key points at the end of every section and a full glossary.

Also available as a Kindle e-book available from Amazon. Recommended prices for paperback £9.99 (GBP), $16.99 (USD), €12.99 (EU); Kindle edition £4.59 (GBP), $6.79 (USD), €5.49 (EU), Rs200 (INR, for customers in India only) – actual prices may vary, depending on your location.

First published 2012-10-08

You can look inside this book at or

Web applications manipulate resources in response to requests from users. It is often necessary to determine whether a requested operation should be allowed for the user who sent the request. This process of authorization – that is, deciding whether an application should be allowed to carry.out the operation which a request from a particular user or program calls for – depends on, but is separate from, the process of authentication. Authentication means determining the identity of the user or program sending the request. This is usually done by maintaining user accounts, protected by passwords, and by requiring users to log in.

Written for professional and student Web developers, this book provides a clear and practical description of authentication and authorization for Web sites. Secure methods of storing users’ account details and passwords are described. The authors explain different methods of authentication, and techniques for applying authorization to requests from authenticated users.

Drawing on a thorough understanding of computing principles and many years of practical experience in Web application development, the authors explain the available techniques for maintaining user accounts and protecting users’ data from unauthorized operations. A simple application, written in JavaScript and built on the Express framework, is developed throughout the book to demonstrate the principles. Clear key points summarize each section, notes on relevant topics in cryptography are included, and technical terms are defined in a 16-page glossary.

Topics covered include:

• Hashing and salting passwords
• Resetting passwords
• Session-based authentication
HTTP authentication
• OpenId
• Role-based authorization
• OAuth

Table of Contents

(Chapter openings are shown in bold.)

About This Book vii
Introduction 1
HTTP and Web Applications 4
Databases 11
User Accounts 19
Passwords 24
Storing Passwords 27
Key Points 46
Managing Accounts 47
Creating and Updating Accounts 47
Preventing the Creation of Bad Accounts 57
Resetting Passwords 63
Key Points 70
Authentication 73
Session-Based Authentication 77
Cookies 78
Sessions 82
Authentication Using Sessions 86
Key Points 97
Attacks Against Sessions 99
Key Points 110
HTTP Authentication 112
Basic Authentication 112
Digest Authentication 119
HTTP Authentication by the Server 122
HTTP Authentication and Usability 126
Key Points 128
OpenId 130
Key Points 142
Authorization 143
Account-Based Authorization 146
Managing User Accounts 146
Managing Users’ Resources 151
Controlling Access to Other Users’ Resources 167
Key Points 173
Role-Based Authorization 175
Administrators 175
Roles 182
Key Points 191
OAuth 193
Key Points 200
Notes On Cryptography 203
Secret-Key Cryptography 206
Cryptographic Hash Functions and MACs 207
Public Key Cryptography 209
Certificates 210
Secure Communication on the Web 211
Glossary 213
Index 229