Well, you could look it up in Wikipedia… But since you want an explanation, I’ll do my best here: Hash Functions They provide a mapping between an arbitrary length input, and a (usually) fixed length (or smaller length) output. It can be anything from a simple crc32, to a full blown cryptographic hash function such … Read more
Improved Persistent Login Cookie Best Practice You could use this strategy described here as best practice (2006) or an updated strategy described here (2015): When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie. The login cookie contains a series identifier and … Read more
I think it’s well explained here — quoting just the key sentences of the long article: The general concept behind a token-based authentication system is simple. Allow users to enter their username and password in order to obtain a token which allows them to fetch a specific resource – without using their username and password. … Read more
I work at Auth0 and I was involved in the design of the refresh token feature. It all depends on the type of application and here is our recommended approach. Web applications A good pattern is to refresh the token before it expires. Set the token expiration to one week and refresh the token every … Read more
Authentication is the process of ascertaining that somebody really is who they claim to be. Authorization refers to rules that determine who is allowed to do what. E.g. Adam may be authorized to create and delete databases, while Usama is only authorised to read. The two concepts are completely orthogonal and independent, but both are … Read more
This is bcrypt: Generate a random salt. A “cost” factor has been pre-configured. Collect a password. Derive an encryption key from the password using the salt and cost factor. Use it to encrypt a well-known string. Store the cost, salt, and cipher text. Because these three elements have a known length, it’s easy to concatenate … Read more
The whole lot is encrypted† – all the headers. That’s why SSL on vhosts doesn’t work too well – you need a dedicated IP address because the Host header is encrypted. †The Server Name Identification (SNI) standard means that the hostname may not be encrypted if you’re using TLS. Also, whether you’re using SNI or … Read more
The link to discussion, provided by Catchdave, has another valid point (original, dead link) made by Dick Hardt, which I believe is worth to be mentioned here in addition to what’s been written above: My recollection of refresh tokens was for security and revocation. <…> revocation: if the access token is self contained, authorization can … Read more
It drops the students table. The original code in the school’s program probably looks something like q = “INSERT INTO Students VALUES (‘” + FNMName.Text + “‘, ‘” + LName.Text + “‘)”; This is the naive way to add text input into a query, and is very bad, as you will see. After the values … Read more
How about taking another approach or angle at this problem? Ask why the password is required to be in plaintext: if it’s so that the user can retrieve the password, then strictly speaking you don’t really need to retrieve the password they set (they don’t remember what it is anyway), you need to be able … Read more