Chapter 9. Authentication

Many applications require spaces for public and private information. This often means two things: while interfaces should look different depending on who users are, server-side data must be protected from outsiders.

For example, users of the Munich Cinema application could store which movies they liked and maintain a history of favorite movies. They might also comment on other users’ choices or maintain a personal calendar for movies to watch.

For all these actions, the application needs to know who we are (authentication), and what we are allowed to do (authorization). Authentication and authorization over HTTP are closely related.

In this chapter, our goal is to understand aspects of security in browsers and the backend requirements.

We will discuss the following:

  • Security of Backbone applications
  • Principles of client-server authentication
  • Managing sessions
  • Modal dialogs for signup and login

Security in Browsers

Bringing security to web browsers is a difficult task. Ideally, we want to authenticate every HTTP request. But practically, entering passwords multiple times can often become frustrating for users. Unfortunately, browsers do not provide native support for secure sessions right now, and most authentication strategies are vulnerable to attacks.

To solve the authentication dilemma over HTTP, there are basically two approaches:

Cookies
This is the most popular, but also one of the less secure approaches to securing web applications in browsers. The ...

Get Full Stack Web Development with Backbone.js now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.