- Nigel Chapman and Jenny Chapman
- 978-0-9567370-5-2
- MacAvon Media, pb. 246 pages
- 8 October 2012
- Kindle edition (ASIN B009SCFHQI)
The Web Security Topics Series
Authentication and Authorization on the Web
Paperback prices: £9.99 (GBP), $16.99 (USD), €12.99 (EU) – prices at booksellers may vary.
Kindle edition prices: £4.93 (GBP), $7.29 (USD), €6.17 (EU), Rs250 approx (INR, for customers in India only) – prices at booksellers may vary.
A short book in the Web Security Topics series, intended for Web developers. Provides a detailed description of setting up, managing and maintaining the security of user accounts in Web applications. Covers secure storage of passwords, authentication of users' identities, and methods of authorization for restricting the operations that users may perform. Includes code examples in JavaScript/Node.js, key points at the end of every section and a full glossary.
This book is available in paperback and as a Kindle edition. You do not need a Kindle device to read Kindle books. Amazon provide free Kindle reading applications for most tablets as well as for MacOS and Windows.
Code Examples
All the JavaScript code examples featured in this book are available in a repository at Github. Please read the Code Examples page on this site for more details.
Full Description
Web applications manipulate resources in response to requests from users. It is often necessary to determine whether a requested operation should be allowed for the user who sent the request. This process of authorization – that is, deciding whether an application should be allowed to carry.out the operation which a request from a particular user or program calls for – depends on, but is separate from, the process of authentication. Authentication means determining the identity of the user or program sending the request. This is usually done by maintaining user accounts, protected by passwords, and by requiring users to log in.
Written for professional and student Web developers, this book provides a clear and practical description of authentication and authorization for Web sites. Secure methods of storing users’ account details and passwords are described. The authors explain different methods of authentication, and techniques for applying authorization to requests from authenticated users.
Drawing on a thorough understanding of computing principles and many years of practical experience in Web application development, the authors explain the available techniques for maintaining user accounts and protecting users’ data from unauthorized operations. A simple application, written in JavaScript and built on the Express framework, is developed throughout the book to demonstrate the principles. Clear key points summarize each section, notes on relevant topics in cryptography are included, and technical terms are defined in a 16-page glossary.
Topics covered include:
- Hashing and salting passwords
- CAPTCHAs
- Resetting passwords
- Session-based authentication
- HTTP authentication
- OpenId
- Role-based authorization
- OAuth
Table of Contents
- Introduction 3
- HTTP and Web Applications 6
- Persistent Objects 14
- User Accounts 21
- Passwords 26
- Storing Passwords 29
- Key Points 48
- Managing Accounts 49
- Creating and Updating Accounts 49
- Preventing the Creation of Bad Accounts 59
- Resetting Passwords 65
- Key Points 73
- Passwords 26
- Authentication 77
- Session-Based Authentication 81
- Cookies 82
- Sessions 86
- Authentication Using Sessions 90
- Key Points 101
- Attacks Against Sessions 103
- Key Points 114
- HTTP Authentication 116
- Basic Authentication 116
- Digest Authentication 123
- HTTP Authentication by the Server 126
- HTTP Authentication and Usability 130
- Key Points 132
- OpenId 134
- Key Points 146
- Session-Based Authentication 81
- Authorization 147
- Account-Based Authorization 150
- Managing User Accounts 150
- Managing Users’ Resources 155
- Controlling Access to Other Users’ Resources 171
- Key Points 177
- Role-Based Authorization 179
- Administrators 179
- Roles 186
- Key Points 195
- OAuth 197
- Key Points 204
- Account-Based Authorization 150
- Notes On Cryptography 207
- Secret-Key Cryptography 210
- Cryptographic Hash Functions and MACs 211
- Public Key Cryptography 213
- Certificates 214
- Secure Communication on the Web 215
- Glossary 217