Understanding Authentication: Session Cookies, Tokens, SSO, OAuth2 & More

What is Authentication?

Authentication (identity verification) determines whether a user has permission to access a system, similar to a train ticket that is valid for a certain time.

Common Authentication Methods

The article introduces several authentication mechanisms used in practice.

Session‑Cookie Authentication

Uses a server‑side session together with a browser cookie to identify a client. Because HTTP is stateless, the server creates a session and stores the client’s identifier; each request checks the session for the identifier.

In the “boss” product, the Session ID is stored in a database and cached in Memcached. The client receives a Set‑Cookie header that updates the expiration (6 hours) on each request, preventing premature expiration during complex operations.

⚠️ This approach is heavy because every API call updates the expiration time.

Pros:

Simple and easy to use; browsers automatically send the cookie.

Cons:

Cannot be used outside browsers (e.g., native apps).

Cookie Security Enhancements

Key cookie attributes:

Set a reasonable Expires/Max‑Age.

Enable HttpOnly.

Enable Secure (use HTTPS).

Token Authentication

In load‑balanced multi‑server environments, sharing sessions is difficult, so tokens are used. A token contains user information and can be verified without server‑side state.

Clients store the token (e.g., in localStorage) and send it with each request. The server validates the token and does not need to store session data.

JSON Web Token (JWT) structure: header.payload.signature. Header and payload are Base64‑encoded.

HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

Usage example: Authorization: Bearer <token> Drawbacks: the server cannot revoke a token before its expiration, and the payload is readable, so no sensitive data should be placed there.

Refresh tokens can be used to obtain new access tokens when the short‑lived access token expires.

Pros:

Lightweight; no server‑side storage; works on mobile.

Cons:

Once issued, a token remains valid until it expires.

Single Sign‑On (SSO)

When many business systems are spread across different domains, SSO provides “one login for all”.

Implementation often uses OpenID Connect (OIDC), which builds on OAuth2 and returns a JWT.

OAuth2 flow:

Client requests authorization from the resource owner.

Client obtains authorization grant.

Client exchanges the grant for an access token.

Authorization server validates the grant and issues the token.

Client uses the token to access protected resources.

Resource server validates the token and serves the request.

LDAP

Lightweight Directory Access Protocol (LDAP) is an open standard used by systems such as Jira and Confluence. It allows the same credentials to log into different systems but does not provide true SSO.

Other Methods – 2FA

Two‑factor authentication (e.g., Google Authenticator) generates a 6‑digit code based on a secret key and the current time.

let epoch = Math.round(new Date().getTime() / 1000.0);
if (localStorage.offset) { epoch += Number(localStorage.offset); }
counter = Math.floor(epoch / period); // period usually 30 seconds

const time = this.leftpad(this.dec2hex(counter), 16, "0");
const key = this.base32tohex(secret);
CryptoJS.HmacSHA1(CryptoJS.enc.Hex.parse(time), CryptoJS.enc.Hex.parse(key))

const len = 6;
const result = otp.substr(otp.length - len, len).toString(); // take last 6 digits