[CS] Authentication Quiz(Hash, Cookie, Session, Token) Day-82

Description of asymmetric key cryptography

• (암호화와 복호화에 서로 다른 키를 사용하는 방식이다.)

• Public key is a cryptographic key that can be used by any person
  (public key는 누구에게나 공개해도 되는 키다.)

• Data encrypted with the public key can only be decrypted with the corresponding private key.
  (public key로 암호화한 데이터는 그에 맞는 private key로만 복호화가 가능하다.)

Description of hash function

• Decrypting the hash algorithm is possible. just takes too much time.
  (해시 알고리즘 해독이 절대 불가능한 건 아니다. 시간이 오래 걸릴 뿐..)

• If use SHA-256 algorithm, the length of the output value is the same.
  (SHA-256 알고리즘을 사용했을 때 출력값의 길이는 입력값의 길이와 관계없이 항상 64글자다.)

• Hash algorithm always returns the same hash value for a specific input value.
  (해시 알고리즘은 특정 입력값에 대해 항상 같은 해시값을 리턴한다.)

Description of cookie

• Cookies can deleted automatically by MaxAge or Expires options.

• httpOnly option prevents access to cookies using by Javascript.

• Cookie sent only when conditions such as the requesting server's domain, path, and sameSite are appropriate.

Cookie Options

• domain
• path
• MaxAge / Expires
• httpOnly
• secure
• sameSite

https://velog.io/@cptkuk91/CS-Hashing-Cookie-Day-81

Description of the sameSite option in cookies

• SameSite: Strict (Cookies cannot be sent)

• SameSite: Lax (Only GET method requests can send cookies)

• SameSite: None (Cookies can be sent for all method requests, but the Secure option is absolutely necessary for safety.)

Description of session-based authentication method

• The connection status is stored in the server.
• The sessionId is stored in the cookie.

Description of CSRF

• Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform.
  (잘못된 링크를 통해 유저가 의도한 요청이 아닌 다른 요청을 보내는 공격)

• If the sameSite option set not none, Server can prevent csrf attacks.

Why use token authentication instead of session?

• Server cost will down.

• If there are multiple servers, it can be effectively managed only tokens.

• Considering extend of the app, it is recommended to use token-based authentication.

Explanation of JWT structure

• Header: contains information about how the token was created, which specifies the hashing algorithm

• Payload: The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data.

• Signature: Encoded header and payload.