Authentication and Access Control

Authentication verifies identity; authorisation enforces what an authenticated principal may do. This chapter covers password storage with salted hashes, multi-factor authentication, session tokens and cookies, JSON Web Tokens, and role-based access control — with examples of insecure implementations and their fixes.