Many applications require spaces for public and private information. This often means two things: While interfaces should look different depending on who users are, server-side data must be protected for outsiders.
For example, users of the Munich Cinema application could store which movies they liked and maintain a history of favorite movies. Also, choices of other visitors might be commented or maintain a personal calendar for movies to watch.
For all these actions, the application needs to know who we are (authentication), and what we are allowed to do (authorization). Authentication and authorization over HTTP are closely related.
In this chapter, our goal is to understand aspects of security in browsers and the backend requirements.
We will discuss:
Bringing security to web browsers is a difficult subject. Ideally, we want to authenticate every HTTP request. But practically, entering passwords multiple times often results in frustrations of users. Unfortunately, browsers do not provide native support for secure sessions right now, and most authentication strategies are vulnerable to attacks.
To solve the authentication dilemma over HTTP, there are basically two approaches: