The workspace login on the Internet — the fundamental function, which is present practically at all websites. We face it regularly: at forums, on social networks, on the websites of banks or in comments to news. However, what technologies are hidden behind the «Enter» button, not everyone knows.
The mechanism of authorization
It begins with user identification. The user enters login and password into the form of authorization and sends them to system. Using these two parameters, the system looks for the account of user in database and if he is found, creates for him a session.
The passwords of users aren’t stored in databases in pure form. Instead of them, special alphanumeric keys are stored in bases. These keys —are an application of special cryptography functions to passwords. Such functions are irreversible and to recover the password by their results is extremely difficult. This is done in case of data leakage, attackers will not be capable to take benefit of user login and password, and to attempt to enter their accounts on other sites (many users on all services set the same password).
Session and cookies
The session consists of a key — a unique set of characters and data. In the simplest case, these sessions are confined to a user id from the database. However, often also the set of other data, is stored there: the unpaid order from a basket, the unsent comment, the unpublished photo, etc.
When such session is created, its key goes to user (sessions never leave the server). Afterwards the user’s browser, in case of each request, sends it to a server. It simplifies repeated user identification within one session. Without this mechanism, the user should become authorized upon transition from the page to the page.
Sending a key session, the browser is carried out with the mechanism called as cookies. Cookies for each server can set the expiration date after which the browser deletes cookies automatically. If the period of validity is not provided, it is destroyed when user closes a window of browser.
Function «remember me»
Exactly thanks to the mechanism of expiration date of cookies the function «remember me» also works. By default, service creates the session expiring at closing the time of the browser for the user. But, if the user sets a tick in the field of «remember me», the server sets cookie with rather big expiration date: from a month to several years, depending on service.
Unfortunately, the longer shelf life for the cookies, the higher the probability of so-called session theft: stealing by the attacker of the key session, which is stored in cookie. Stealing of a key allows to perform operations from user name. For this reason, such services as payment service providers private offices on the websites of banks and don’t provide the mechanism «remember me». Moreover, often they enter additional protection, for example send a special code to the mobile phone for confirmation of personality.
Authorization by third-party services
On many websites, users can leave comments with use of accounting entries by social networks. This works in several stages. Let’s assume authorization by Facebook. What happens when he presses the «Enter by means of Facebook» button?
At first, service sends him to special page of the website of Facebook, where the user should confirm that he wants to give to service sender access to the data. As this page is on the website of social network, service sender can’t fake this permission.
After confirmation of www workspace login, Facebook returns the user on service sender, having transferred a key of access. With use of this key, service afterwards can obtain user’s personal data or place some record on his wall.
The actual list of capabilities that are received from a service after authorization, depends on social network. The most of social networks in details paint all these opportunities at moment of a permission request.
The list of recommendations about safety for users
1. Use dissimilar passwords for the different websites. But, it is very hard to remember a set of passwords. In the solution of this problem, you can use the different password services.
2. If you work on other computer, remove a tick from the field «remember me» and click «Output» at the end. It will delete these sessions and won’t allow the following user to use your registration data in the purposes.
3. If you are authorized by social networks, attentively read the requests of service sender. Often importunate services like to publish from your name advertizing at you on a wall.
Authorization — the main security feature of user’s personal data in the Internet. Therefore, it is worth treating this important function responsibly.