Last Updated on August 25, 2023
User Authentication – Cookies
Nearly every web site faces this dilemma – how to authenticate and identify the users of it’s site. In real life it’s not difficult, you can give someone a photo id or pass, or even ask people to show their drivers license.
The point is that in the real world, you can provide proof of your identity by using a physical credential. So you can borrow a DVD from Blockbusters or get a discount in a hotel by simply showing a specific card that you possess.
The Digital Identification Dilemma
Unfortunately it’s not quite the same in the digital world, it’s impractical (although not impossible) to supply physical credentials to prove your identity. But it does work on basically the same premise – the web site request your credentials and you need to supply them to continue.
An online authentication system like a web site – needs to be supplied with one of the following:
- Something you possess
- Something you know
- Something you are
- Any or all of the above
All these are called ‘authentication factors’ and the more that is supplied – then supposedly the more secure the system is meant to be. For instance if you hear a phrase like ‘Two Factor Authentication’ it simply means that you need two of the above to verify your identity. For example an ATM machine is a good example as you need a card (something you possess) and a PIN access code (something you know) in order to draw out some cash from your account.
In the digital world there are many simple but slightly unreliable ones, for instance verifying your location by IP address is simple to code, but unfortunately unreliable as they c an change freqeuntly. There is one main way of authenticating a user online and that is the ‘cookie’. It’s a term that most of us will be aware of but perhaps not entirely sure what they are.
The cookie is defined as a ‘handle, transaction id, or other token of agreement between operating systems’. The cookie is like the ticket you get when you leave your suit at the dry cleaners. It’s good for only one thing, to get your suit back. The cookie is exactly the same in digital format – a record of a specific transaction or visit. The only difference apart from the lack of a physical token is that the cookie will be updated each time you come back and visit the same site.
This is basically what happens when you visit a web site:
- Web site asks browser to store some information.
- Web site supplies the information.
- Browser stores the information in a file locally (the cookie).
- Cookie doesn’t contain any private information.
- Cookie is presented on subsequent visits.
It’s not that complicated and it’s not intended to be. The real aim is to identify subsequent visits by the same individual – with the aim of storing passwords, preferences and choices made by that person. All the major browsers have the facility to block or restrict cookies of course if you are concerned about the privacy issues.
Thanks for the article. We all need to be more proactive about our personal account security. One thing that can’t be stressed enough is taking advantage of the 2FA (2-Factor Authentication). Although it’s been around for a while, not enough sites are offering and promoting this option. This is one of the best password managers because 2-Factor Authentication for me wins every day. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering my info enough protection. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. This should be a prerequisite to any system that wants to promote itself as being secure.