InfoSec Notes
Comprehensive guide to web authentication including sessions, JWT, OAuth 2.0, and passwordless authentication methods.
Overview
Web authentication verifies the identity of users accessing web applications. Modern systems have evolved from simple username/password forms to sophisticated multi-factor, token-based, and passwordless approaches.
Session-Based Authentication
JSON Web Tokens (JWT)
JWT Structure
| JWT | xxxxx.yyyyy.zzzzz |
| "alg" | "HS256", |
| "typ" | "JWT" |
| "sub" | "1234567890", |
| "name" | "Alice", |
| "iat" | 1516239022, |
| "exp" | 1516242622 |
OAuth 2.0 Authorization Code Flow
Session vs JWT Comparison
| Feature | Session-Based | JWT |
|---|---|---|
| Storage | Server-side session store | Client-side token |
| Scalability | Requires shared session store | Stateless, scales easily |
| Revocation | Easy (delete session) | Difficult (wait for expiry) |
| Size | Small cookie (session ID) | Larger (contains claims) |
| Cross-domain | Difficult (cookie scope) | Easy (send in header) |
| Security | Session fixation risk | Token theft risk |
Interview Questions
- What are the security risks of JWT and how do you mitigate them?
- Risks: token theft (store securely, short expiry), no revocation (use blocklist or short-lived tokens + refresh), algorithm confusion (validate
algheader), oversized payload (don't store sensitive data in JWT). Mitigations: HttpOnly cookies for storage, short expiration, refresh token rotation.
- Explain the difference between authentication and session management.
- Authentication verifies identity (login). Session management maintains the authenticated state across subsequent requests. After authentication succeeds, a session token is issued; managing that token's lifecycle (creation, validation, expiry, invalidation) is session management.
- Why is PKCE required for OAuth 2.0 public clients?
- Public clients (SPAs, mobile apps) cannot securely store a client_secret. Without PKCE, an attacker who intercepts the authorization code can exchange it for tokens. PKCE adds a code_verifier that only the legitimate client knows, preventing code interception attacks.
- How would you implement token revocation for JWTs?
- Options: short expiry (5-15 min) with refresh tokens (revoke refresh token), token blocklist in Redis (check on each request), token versioning per user (increment version on logout), or event-driven invalidation. Each trades statefulness for revocation capability.
- What is the difference between OAuth 2.0 and OpenID Connect?
- OAuth 2.0 is an authorization framework (grants access to resources). OpenID Connect (OIDC) adds an identity layer on top: it provides an ID token (JWT) with user identity claims, a UserInfo endpoint, and standardized scopes (openid, profile, email) for authentication.
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Web Authentication Mechanisms.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Information Security topic.
Search Terms
information-security, information security, information, security, web, authentication, mechanisms, web authentication mechanisms
Related Information Security Topics