Auth

Auth is commonly referencing Authentication.

• Authentication = login by x user with username and password.
• Authorization = post-login, identifying requests are by x user.

What is Authentication

Authentication is making sure the person is who they claim to be.

• e.g. Username and Password, MFA, Public Key Certificate, Biometrics.

Authorization

Authorization is determining what the authenticated user can or cannot see or do.

• e.g. role-based access control, attribute-based access control, rule-based access control.

Session (cookie) to store user temporarily

• maintained by server, sent to client

SessionID is sent every time with request to server

Never use Phone number as sole identifier

Phone numbers can be reused by someone else in distant future. it can't be primary identifier