Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I\'m developing a simple web application in node.js. Users can log in from any p

ID: 651547 • Letter: I

Question

I'm developing a simple web application in node.js. Users can log in from any page in the application, so I handle authentication in the server's code and logic, and the application's server-side code checks to see if a couple session variables are set. If they are, the application continues with user-specific information.

I'm unsure if this is the best way to handle the authentication logic. Should I move all authentication completely over to the application's code and only have the server listen and pass requests along, or, since the server is setting the session anyway, should I have it control back-end authentication logic as I'm handling it now?

In the end, what I'm really asking is: Conceptually, where should authentication be handled? In the server's code, or in the application's server-side code?

Explanation / Answer

First it's good that you are not considering client-side authentication as this can be spoofed.

The main problems I see with using the server's built-in mechanisms for authentication are:

Portability - Moving your application to a different server, becomes significantly more difficult.

A lack of separation between local server users and remote web application users, when looking in your user list could make it harder to administer both the server and the application.

If your application is hacked, they've already gained access at user level to your server. I wouldn't mind betting that this is significantly less secure than using separate authentication methods.

I recommend making your web application perform the authentication, perhaps using a community maintained library or by building it yourself. Store your users in a database table.

This overcomes the downsides listed.

I don't recommend using authentication mechanisms of other sites. The reasons for that are many, but to mention a few are:

Your visitor may not want to have an account with the 3rd party site.
It's poor practice to have one username/password for everything and this method is essentially doing that but with a veneer that makes people think it's ok.
It results in giving too much information to the 3rd party site (who share much of it with other sites which use their authentication mechanism).
The list is endless. I could add to it all day!

Related Questions

I\'m currently taking ochem part 2. I need to perform an acid-base extraction to
Question #228874
I\'m currently tasked with doing some C++/CUDA development on a remote Linux mac
Question #657776
I\'m currently thinking about an interface to a class I\'m writing. This class c
Question #653071
I\'m currently trying to cover our shopping cart with unit tests. Class Shopping
Question #644198
I\'m currently trying to figure out why I\'m getting an error message. When I ru
Question #3758767
I\'m currently trying to find my way into the geometric description of Quantum M
Question #1380420
I\'m currently trying to prove a language regular (for personal amusement). The
Question #652201
I\'m currently using AES 256 for the encryption of my web application and the se
Question #659221
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I\'m developing a set of simple widgets for a small (128x128) display. For examp
Next
I\'m developing a small system with two components: one polls data from an inter

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.