Web authentication types

Basic Authentication

Basic authentication is a simple authentication scheme built into the HTTP protocol. The client sends HTTP requests with the Authorization header that contains the word Basic followed by a space and a base64-encoded string username:password. For example, to authorize as user demo and password p@55w0rd the client would send: Authorization: Basic ZGVtbzpwQDU1dzByZA==.

Note: Because base64 is easily decoded, Basic authentication should only be used together with other security mechanisms such as HTTPS/SSL.

When users authenticate using their username and password, they're issued a token, containing an authentication ticket that can be used for authentication and authorization. The token is stored as a cookie that accompanies every request the client makes.

Cookie-based authentication is a popular form of authentication. Token-based authentication systems are growing in popularity, especially in Single Page Applications (SPAs).

Note: Cookie authentication is vulnerable to Cross-Site Request Forgeries (CSRF) attacks, so it should be used together with other security measures, such as CSRF tokens.

Token-based authentication

In each request, the token (access token) is passed in the request for server-side validation. This token isn't encrypted; it's encoded. On the server, the token is decoded to access its information. To send the token on subsequent requests, store the token in the browser's local storage. Don't be concerned about CSRF vulnerability if the token is stored in the browser's local storage. CSRF is a concern when the token is stored in a cookie. Similar to Basic authentication, Bearer authentication should only be used over HTTPS (SSL).

Digest Authentication

Digest Authentication communicates credentials in an encrypted form by applying a hash function to the the username, the password, a server supplied nonce value, the HTTP method, and the requested URI.

In a digest authentication flow, the client sends a request to a server, which sends back nonce and realm values for the client to authenticate. The client sends back a hashed username and password with the nonce and realm. The server then sends back the requested data.