Application Security and Hardening

Geekwise Academy


Week 4 - Authentication and Authorization


Instructors:

Corey Shuman


Slack Channel:

#application-security

Github Repo:

https://github.com/coreyshuman/GeekwiseApplicationSecurity

Lecture Notes:

http://coreyshuman.github.io/GeekwiseApplicationSecurity/LectureNotes


Table of Contents:


    Authentication

    We will use passwords to authenticate our users, and talk about why hashing passwords is important.

    Login page - basic validation

    What is salted password hashing?

    Hashing Security

    Using Bcrypt to Hash Password in NodeJS

    Bcrypt

    In Class: Let's build a simple Bcrypt App

    Login page - apply bcrypt

    Our homework assignment. Use Bcrypt in our application to encrypt user passwords.

    Authorization

    We will investigate using cookies and tokens to provide authorization in our application.

    Cookies

    Cookies are a data component that is stored in the client (web browser) and included with each request to the server.

    We can view more details on [W3 School: Cookies](https://www.w3schools.com/js/js_cookies.asp)

    Using Cookies with NodeJS

    To use cookies on our Node server, we need a way for express to parse the cookie payload. That is where the [CookieParse](https://expressjs.com/en/resources/middleware/cookie-parser.html) module comes in.

    Using and Hacking Cookies

    Let's build an application that uses cookies to remeber the current user.

    What happens if we go into the console and manipulate the cookie?

    More secure cookies: Cookie Session

    The [Cookie Session](https://expressjs.com/en/resources/middleware/cookie-session.html) module allows us to store the session info on the server while keeping only a session id in the cookie.

    TODO: add cookie encryption


    Resources