Guide to Common Authentication Methods: HTTP Auth, Cookie + Session, JWT, and OAuth

Authentication is a fundamental part of web security; this guide introduces several widely used methods and their underlying principles.

HTTP Auth Authentication

HTTP provides a generic framework for authentication, with Basic authentication (RFC 7617) being the most common. It transmits credentials in Base64‑encoded form and should be used over HTTPS to protect against eavesdropping.

Example of encoding credentials:

let email = "[email protected]";
let password = "12345678";
let auth = `${email}:${password}`;
const buf = Buffer.from(auth, 'ascii');
console.info(buf.toString('base64')); // cG9zdG1haWxAdGVzdC5jb206MTIzNDU2Nzg=

Decoding the Authorization header:

const buf = Buffer.from(authorization.split(' ')[1] || '', 'base64');
const user = buf.toString('ascii').split(':');
// user[0] = email, user[1] = password

Other HTTP Authentication Schemes

Basic (RFC 7617)

Bearer (RFC 6750, OAuth 2.0 token)

Digest (RFC 7616)

HOBA (RFC 7486)

Mutual (draft‑ietf‑httpauth‑mutual)

AWS4‑HMAC‑SHA256 (AWS docs)

Cookie + Session

The server stores a session object while the client holds a session ID in a cookie. Distributed systems often use Redis (or other KV stores) for session persistence. Session refresh can be implemented by updating the expiration time on each request, reducing unnecessary writes.

JWT (JSON Web Token)

JWT is an open standard (RFC 7519) that encodes a header, payload, and signature as three Base64‑url strings separated by dots.

Example token:

jwt-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoibHVzaGlqaWUiLCJpYXQiOjE1MzI1OTUyNTUsImV4cCI6MTUzMjU5NTI3MH0.WZ9_poToN9llFFUfkswcpTljRDjF4JfZcmqYS0JcKO8

Header (decoded): {"alg":"HS256","type":"JWT"}

Payload (example fields): {"name":"lushijie","iat":1532595255,"exp":1532595270}

Signature is generated by HMAC‑SHA256 over base64Encode(header) + '.' + base64Encode(payload) using a secret key.

Verification consists of recomputing the signature and comparing it to the token's signature part.

OAuth

OAuth is an open standard that enables third‑party applications to access user resources without exposing passwords. The typical flow involves the resource owner authorizing the client, the client receiving an authorization code, exchanging it for an access token, and using the token to call protected APIs.

Grant types include:

Authorization Code (most secure, server‑side)

Implicit (for pure front‑end apps)

Resource Owner Password Credentials (trusted internal apps)

Client Credentials (service‑to‑service)

Single Sign‑On (SSO)

SSO allows a user to log in once and gain access to multiple related services (e.g., QQ ecosystem) by sharing a common authentication token.

Comparison

Each method has trade‑offs: HTTP Basic is simple but less secure; Cookie + Session offers flexible revocation and works well with traditional web apps; JWT provides stateless authentication suitable for RESTful APIs but lacks built‑in revocation; OAuth enables delegated access across domains.