-
Notifications
You must be signed in to change notification settings - Fork 12
Auth
coloradokim edited this page Oct 31, 2017
·
2 revisions
- Signing in
- Signing Out
- Verifying the password a user entered on the login form
- Form-based
- A username and password are stored in a database
- OAuth
- The user signs in with their Facebook, Google, Github, etc. account
- Single Signon
- One Login and other Enterprise systems
- The user enters a username and password
email=kim@example.com&password=password
-
POSTrequest is sent with the data - The program checks to see whether or not the username is in use
- The program hashes the password
- The program stores the username and hashed password in the DB
- The user enters their username and password
email=kim@example.com&password=password
-
POSTrequest is sent with the data - The password the user entered is hashed
- The username and hashed password are compared to what is stored in the DB
- A cookie is set
- RBAC
- A salt is a long, random string of bytes that gets added to a password before it is hashed
- The idea is to make a brute force attack less likely (?)
- Old-school approaches meant one salt per DB
- Newer approaches have per-user salts
- Bcrypt has designed to create password hashes
- It takes 100ms to computer (in 2012, anyway)
- It is SLOW on purpose. 10,000 times slower than sha1()