The document discusses session etiquette and the importance of punctuality and respect in sessions. It provides an overview of cookies, their pros and cons, alternatives like local storage and session storage, and details on authentication and authorization in web development. Additionally, it explains CSRF attacks, their prevention methods, and includes references for further reading.

1. Presented By: Aanchal Agarwal and Anirudh Singh Chauhan
Session, Cookies and
Authentication

2. Lack of etiquette and manners is a huge turn off.
Session Etiquettes
Punctuality
Respect Knolx session
timings, you are requested not
to join sessions after a 5
minutes threshold post the
session start time.
Feedback
Make sure to submit a
constructive feedback for all
sessions as it is very helpful
for the presenter.
Silent Mode
Keep your mobile devices in
silent mode, feel free to move
out of session in case you need
to attend an urgent call.
Avoid Disturbance
Avoid unwanted chit chat
during the session.

3. Agenda
Overview
01
02
03
04
05
What is a Session?
CSRF Attacks
What are Cookies?
What is Authentication?

4. Overview

5. What are Cookies?
● Cookies are small data that are stored on a client side and sent to
the client along with server requests.
● Cookies have various functionality, they can be used for
maintaining sessions and adding user-specific features in your
web app.

6. Pros and Cons of Cookies
Pros
● Cookies are simple to use and
implement
● Occupies less memory
● We can configure cookies
● Cookies persist much longer time
than session state
● They do not require any server
resources since they are stored on
client:
● They are domain-specific
● They can be disabled by the user:
● They are simple to use
Cons
● They are not secured
● Difficult to decrypt:
● There are limitations in size
● Can be disabled
● Cookies will not work if the
security level is set to high in the
browser:
● Users can delete cookies:
● Users browser can refuse cookies,
so your code has to anticipate that
possibility
● They can easily be hacked:
● There is a limited number of cookie
size that can be used

7. Alternatives to Cookies
localStorage:-
● node-localstorage is a drop-in substitute for the browser native
localStorage API that runs on node.js.
● This is widely used as an alternative to localStorage for node js.
You can have access to all the methods of localStorage like
length, setItem, getItem, clear, etc.
sessionStorage:-
● The sessionStorage API is amazing and super useful when
you need to store data temporarily in the browser. We used to
abuse cookies for this, but not all the data that you want to
store needs to be synced with the server.
● The sessionStorage API filled that gap, but unfortunately we
cannot expect this API to be available and enabled in every
browser context.

8. ● Session help to store data across application and pages into
the server-side. The web application worked upon HTTP
protocol.
● The HTTP is stateless So the application doesn’t know about
the previous request or activity, The Session help to solve this
problem.
What is a Session?

9. Different ways to store Session
You can store sessions following ways into the ExpressJS application.
These are common ways to store session data in any programming
language.
● Cookie : You can store session into cookie, but it will store data into
client side.
● Memory Cache : You can also store session data into cache.As we
know, Cache is stored in memory.You can use any of the cache
module like Redis and Memcached.
● Database :The database is also option to store session data server side.

10. What is Authentication?
● Authentication is meant for the identification of users and
provision of access rights and contents depending on their id.
● It is an essential part of web development that we can't afford to
undermine its security.

11. Flowchart for Authentication
User
Place Order
Create & Manage
View Products
Database
Server
Only available to logged in users.
Open to anyone

12. How is Authentication implemented…
User
Stores Session Id
Session
Server
Database
Cookie
Login Request
Stores info that user is
Authenticated
200 Request Restricted
Resource

13. What is Authorisation and Why we need it?
● Authorization is permitting an authenticated user the permission
to perform a given action on specific resources.
● Both authentication and authorization are required to deal with
sensitive data assets. Without any of them, you are keeping data
vulnerable to data breaches and unauthorized access.
● Authentication and authorization go hand-in-hand

14. Understanding Of CSRF Attacks
● CSRF stands for Cross-Site Request Forgery
● CSRF is an attack which forces end user to execute unwanted
actions on a web application in which he/she is currently
authenticated.
● It can happen because cookies are sent with every request to a
website - even when those requests come from a different site.

15. User
Server
FrontEnd[Views]
Intended
Request{eg: sends
Money to c}
Fake Site Cookie
Session
Intended
Request{eg: sends
Money to B}
Database

16. Prevention of CSRF
● Token-Based Mitigation
1.Synchronizer token pattern
2.Encrypted based token pattern (ETP)
● JWT authentication

17. DEMO…Coming Soon

18. ● https://nodejs.org/en/docs
● https://www.geeksforgeeks.org/basic-authentication-in-node-js-using-http-head
er/
● https://www.js-tutorials.com/nodejs-tutorial/
● https://www.stackhawk.com/blog/node-js-csrf-protection-guide-examples-and-
how-to-enable-it/
References

19. Thank You !
Get in touch with us:
Lorem Studio, Lord Building
D4456, LA, USA