How Authentication Works
When you log into a website, you're going through authentication — the process of proving your identity. It's the digital equivalent of showing your ID at a secure entrance before being allowed inside.
The Basic Login Flow
The most common authentication flow works like this:
- You enter your username and password
- The server checks if the password matches what's stored for that username
- If it matches, the server creates a session and sends back a session cookie
- Your browser includes that cookie with every future request
- The server recognizes you without asking for your password again
This is why you can navigate around a website after logging in once — your browser automatically proves your identity with each request.
Passwords and Security
Websites don't actually store your password directly. Instead, they store a hashed version — a mathematical transformation that's easy to compute but nearly impossible to reverse. When you log in, the server hashes what you typed and compares it to the stored hash.
This means even if attackers steal the database, they don't get usable passwords. They get scrambled text that can't easily be converted back.
Tokens and Modern Authentication
Many modern applications use tokens instead of traditional sessions. After you authenticate, the server issues a token — a signed piece of data containing your identity information. Your browser stores this token and sends it with requests.
JWTs (JSON Web Tokens) are a popular token format. Unlike sessions, tokens can be verified without checking a database, making them useful for distributed systems.
Staying Logged In
When you check "Remember me," the website creates a longer-lasting token or session. Without it, your session expires quickly — often when you close the browser or after a short timeout.
Authentication vs Authorization
Authentication answers "Who are you?" — it confirms identity. Authorization answers "What can you do?" — it determines permissions. You must authenticate before the system can authorize your actions.
Understanding authentication helps you recognize why websites behave certain ways — why sessions expire, why password requirements exist, and why logging out matters on shared computers.