Everyone knows the decades-old scheme of password-based login. Records about users known to the application are stored in the database table called users
. Each record has the username
and password
fields (the actual information tokens necessary for authentication) along with other information about the user.
The basic table looks like this in the MySQL Workbench (http://www.mysql.com/products/workbench/):
The username
field is used to actually identify the user among others. Therefore, it has the UNIQUE
constraint.
The password
field contains a special string known, by definition, only to the user and the application. To further protect the password, the application does not store it as plain text, but as its cryptographically secure hash value, which is generated by an algorithm such as bcrypt
. In this way, the application has no way to know the original plaintext version of password.
The most important part of password storage is the cryptographically secure part. So, the algorithm of hashing should exhibit the following traits useful for our purposes:
When authenticating, a user provides the username to claim who he is and the password to prove it. As the application knows which algorithm it used to hash the password when the user was registering, it hashes the provided password in the same way and compares the resulting string with what it has in the database for the provided username. If hashes are found identical, then the user is really who he claims to be and we consider him authenticated.
Well, you probably know that already. Let's implement this authentication method in our example CRM application.
Note that username/password authentication is not the only way to authenticate the user. There are other methods, varying both in complexity of security checks and the user interface. To name a few, there is the OpenID initiative (http://openid.net/) and the OAuth protocol (http://oauth.net/2/) to authenticate in an application using credentials of another application, and signed and confirmed SSL certificates (https://developer.mozilla.org/ru/docs/Introduction_to_SSL#_Client_Authentication_).
We will ultimately perform the following steps:
18.118.137.7