What is authentication and why does it matter

Authentication vs Authorization

Authentication answers one question: who are you? Authorization answers a different question: what are you allowed to do? Most security bugs come from confusing these two.

When a user submits a username and password, your server checks their identity — that is authentication. When that same user tries to delete another user's account and your server blocks them — that is authorization. They are separate concerns and should live in separate layers of your code.

Why HTTP Makes This Hard

HTTP is stateless. Every request your server receives is a blank slate — it has no memory of the previous request. A user can log in on request #1, but on request #2 your server has no idea who they are unless you explicitly carry that identity forward.

Every authentication system you will ever build is a solution to this one problem: how do you prove identity across multiple stateless HTTP requests?

The Three Approaches

There are three standard answers to the stateless problem:

• Sessions — server stores identity, gives client a cookie with a session ID
• Tokens — server signs a token containing identity, client sends it on every request
• OAuth / Delegated auth — a trusted third party verifies identity on your behalf

This course covers all three. You will know when to use each and how to implement each securely from scratch.