Bob uses a web application in order to achieve something. And:
- His browser is on diet, therefore it does not support cookies.
- The web application is a popular one, it deals with a lot of users at a given moment - it has to scale well. As long as keeping session would impose a limit to the number of simultaneous connections, and, of course, will bring a non-negligible performance penalty, we might like to have a session-less system :)
Some important notes:
- we do have transport security (HTTPS and its best friends);
- behind the curtains, the web application delegates a lot of operations to external services, on current user's behalf (those systems do recognize Bob as one of their users) - this means that we have to forward them Bob's credentials.
Now, how do we authenticate Bob (on each and every request)? Which would be a reasonable way to implement such a thing?
- playing tennis with the credentials via HTML form hidden fields... the ball contains the credentials (username & password) and the two rackets are the browser and the web application respectively. In other words, we may transport data back and forth via form fields instead of via cookies. At each web request, the browser posts the credentials. Though, in the case of a single-page application, this may look like playing squash against a rubber wall, instead of playing tennis, as the web form containing the credentials might be kept alive the entire lifetime of the web page (and the server will be configured not to offer the credentials back).
- storing the username & the password in the context of the page - JavaScript variables etc. Single-page required here, IMHO.
- encrypted token - based authentication. In this case, the log-in action would result in the generation of an encrypted security token (username + password + something else). This token would be served back to the client and the upcoming requests will be accompanied by the token. Does this make sense? We already have HTTPS...
- others...
- last resort: do not do this, store credentials in the session! Session is good. With or without cookies.
Does any web / security concern come into your mind, regarding any of the previously described ideas? For example,
- time-outing - we may keep a timestamp, along with the credentials (time-stamp = the time Bob entered his credentials). E.g. when NOW - timestamp > threshold, we might deny the request.
- Cross-site scripting protection - should not be different in any way, right?
Thank you a lot for taking the time to reading this :)
See Question&Answers more detail:os