Login, session management and access management

Authentication, session management, and access control are important components of web application security. Authentication refers to verifying the identity of a user, while session management refers to managing a user's session in a web application. Access control or authorization refers to not allowing a user to perform actions or access data for which they do not have permission. Here is a brief explanation of how these functions work in web applications:

Authentication:

1. The user enters their username and password on the login page of the web application.
2. The web application receives the data and checks whether they match the stored user information.
3. If the information is correct, the web application allows the user to log in and creates a session associated with the user's data.
4. If the information is incorrect, the user will receive an error message and will be redirected back to the login page.

Authentication in practice

When a user logs in to a web application with a username and password, the web application compares the user's input data to the stored data in the database. The database contains user information, such as username, password, and other user details.

Password Hashes

It is important that the password is not stored in the database as is, but rather a hash is created from the password and stored in the database. A hash is a one-way function that transforms the password into a random-looking string that cannot be reversed back to its original form. This means that the actual password is not stored in the database, only its hash.

When the user enters a username and password on the login page of the web application, the web application retrieves user data from the database based on the username. Then, the web application uses a hash function to compare the password entered by the user with the hash value stored in the database. If the hash values are the same, the password entered by the user is correct and the user can log in.

This is essential, because if passwords were stored as they are in the database, hackers could directly steal users' passwords from the compromised database and easily misuse them.