Cookie-based authentication

The flow

1. The client sends the server a login request carrying their credentials.

2. The server authenticates the user (verifies their credentials). This could be done via a database lookup, an LDAP bind request, etc.

3. The server generates an access token, unique to the user's session. This token is stored on the server somewhere, either in memory or on disk. The token is sent back to the user in response to the login request. The token should be set to expire after some time limit. The token is henceforward attached to every request and response between the client and server.

4. Now that the user is authenticated, the access token is sent back to the server with each request. The server recognises this and is free to act upon the knowledge, e.g. authorising access to secret resources.

References

• Stackoverflow — How does cookie-based authentication work?