What's an Authentication?
Servers are basically stupid computer programs who cannot remember who and what made a request after serving i...
For further actions, you may consider blocking this person and/or reporting abuse
I had to build an authentication system just like you described this weekend and there are lot of things that I have done in the same way.
One thing that it is worth noting is that bcrypt is not the most recommended way for salting & hashing passwords anymore, I will not try to get in details because I'm not and security expert, but there are several blogs and questions about this and the consensus today is to use Argon2. I suggest people to make a research to the their own conclusions.
ps: There is a typo on
remember
in theGenerateRemeberToken
function.Thanks a ton for reading the article thoroughly! I get it there are many other better and worst alternatives, but for most cases (like person starting out web dev journey) with decent computer the compression algorithm to generate hash would be just fine. There are alternatives like
scrypt
,PBKDF2
andargon2
which are said to be better but i'd say not every platform i have seen supports scrypt, argon2 needs a GPU to churn out better results. The idea is to learn what hashing is and how it is different from encryption, Then these can be looked into. Thanks for pointing out the typo. I am truly grateful for guiding readers towards more curious driven solutions.Nice post. It helped me to understand a few concepts I was in doubt. Thank you.
Thanks a ton for reading it through! Please implement it on your own in a side project before using ready made authentication services. It gets real easy to understand and explain. One cool thing you could do is add some sort of caching so that you don't have to query database using rememeberTokenHash for each page visit.
On my last project, I encrypted the user ID and stored it on cache. So when the user access a authenticated page, the server takes the cached ID, decrypt it (only the server knows the key) and store it as a session variable, so the user will always be logged in. But I don't know if it was a good idea.
Let me think about it for a while, I will get back to you with some cons of this approach which had chosen earlier. :)
Web server can be made stateful by adding session storage. I don't know when it is required, though.
It is very informative and valuable blog for me in order to understand "Web Authentication System By Universal Principles". But I would suggest one blog should be on "clean code core concept"
Thanks a lot for reading it through! Yes Clean Code practices is a thing i wanted todo since a while now. I think a pocket guide is a good idea with examples. Cheat sheets comes out handy and people use it more often so it is retained in memory.
what do you think of JWT tokens
Once you get a hang of these basic principles you can chose any readymade stuff you want. The idea is to learn why certain service exist and how to create our own. The ready made services are not much alter able :)