By Panh Kone, Full stack dev @ AKIL-
What is a dynamic web page?-
Before web 2.0, i.e. in the era of web 1.0, the internet consisted only of static pages. The content of such a page is the same for all users who consult it. This content only changes when the administrator makes an update.
With the dynamic web, users have the possibility to consult personalized pages. Indeed for the same web address, each connected user can see different content. However a problem arises. How to identify a user connected to a web platform. That’s how the connection form was born.
Thanks to this form, it is now possible to know who is connecting to a website. In order to be able to connect, the user must first create an account on this site. All the information requested varies from one platform to another. The main information to identify (authenticate) a user remains the user nameand password.
What is authentication
Authentication can be defined as a system that confirms the identity of a user connected to a computer system.
We will first define the information needed to set up an authentication system. In this article, we will disregard the programming language.
Before attempting to authenticate on a system, the user must first create an access on that system. This action is done either by the system administrator or by the user himself. The essential information (see access creation form) for a system are:
- the email
- the password
- user name (optional)
Then, depending on the programming language, you have to find a way to save this information permanently (in a database). For security reasons the password should never be stored in clear text as entered by the user. There are encryption algorithms available for this purpose. There are many different password hash algorithms.
- sha512 used by symfony
- Bcrypt
- MD5
After having created his accesses on the IS (computer system) concerned, each time he has to connect to it, he has to fill in the information that proves his identity (see connection form). For reliable authentication, the user must be identifiable by information that is unique to him. For example, email or user name. As for the password, which is indispensable, it confirms the identity of the user because of its secret aspect.
A non-secret password is a door without a lock.
Technically the username or the email filled in the login form is searched in the db. If there is the password entered is encrypted using the same algorithm used to create accesses, then compared to the existing one in the db. In case of conformity, the authentication is successful and the user has access to the IS. Otherwise the authentication has failed and the user is notified; he does not have access to the IS.
What is authorization
Authorization is the immediate consequence of authentication.
The need to differentiate between users of an IS has quickly become a necessity for IT solution providers. Indeed, for the stability of the system, certain critical actions should not be available to everyone. This is how the role of administrator came into being.
Authorization may indicate a system that makes it possible to check the ability (permission) of a category of users to perform an action or to have access to sensitive information on an IS. The distribution of users according to their level of authorization (role) is necessary to speak of an authorization system.
As the image illustrates, an authorization system can include several aspects. Its level of implementation complexity and robustness increases with the parameters considered. The simplest remains the use of roles.
Using roles in the authorization system.
To achieve authorization based on the user’s role, the user must be registered in the database. I will use a Tagbana fairy tale character for my illustration. Our character of the day isPOL, which stands for hare. In our tales, our character is considered the most intelligent animal.
It’s a feast in the savannah and the king gives a reception. At the door, two buffaloes, the most intrepid in the savannah (our authentication system) with the mission to let only four-legged animals through. POL without difficulty is accepted at the entrance. On the invitation cards the organizers have taken care to indicate the tables of each guest. Our very clever hero of the day had noticed that the panther would be next to the royal table and he would be at the simple guest table. So he falsified his card by writing “royal table” on it. The installation of the guests was entrusted to TOPE or TCHEPE, which means the spider, reputed for its intelligence. He will act here as our authorization system. TOPE had three tables on which to place the guests. The royal table was reserved only for the feline like the neighbour of our friend POL, the panther. The noble table was for animals whose paws were more than 20 cm above the ground. And the last one of our friend gathered all the other guests. Our friends the panther and the hare were on their way to the royal table when TOPE challenged POLby telling him that he has no access to the royal table.POLdid not hesitate to show his forged card where it says royal table. TOPE did not rely on the inscriptions on the card, but on his own criteria about the guests.
As illustrated, the system refuses or grants access to a resource based on the information registered on the user. For its implementation it is necessary to add the user’s role to the user’s information. It is filled either by the user himself or by the system administrator (automatically). Each time an authenticated user wants to perform an action, the system retrieves his role and submits it to an algorithm that checks if the requested action is allowed for this role. If yes the action is performed, if not an error message is sent.
Conclusion
Authentication allows the IS to answer the question”Who are you? ‘’. ‘’. As for authorization, it answers with yes or no to the user’s question “Can I have access to this resource?”.
In future articles, we will show the technical implementation of these concepts with PHP and Symfony.