Edit

517.2 Authentication and authorisation

Explore how web applications verify user identity and control access to resources.

Overview

In this topic, we explore how web systems confirm that users are who they claim to be (authentication) and ensure that users can only access what they’re allowed to (authorisation). Students learn the difference between these two concepts, how they are implemented in modern web applications, and why both are essential for maintaining security and user privacy.

Targets

In this topic, students learn to:

  • Define authentication and authorisation

  • Identify common methods of verifying user identity

  • Explain how web systems manage access control

  • Recognise how tokens and sessions work in secure applications

  • Apply examples of layered security using both authentication and authorisation

Syllabus references

Programming for the web

Explain the processes for securing the web

  • authentication and authorisation

What is authentication?

Authentication is the process of verifying a user’s identity.

Common authentication methods:

  • Username and password

  • Multi-factor authentication (MFA) – adds a code from a phone or app

  • Biometric login – such as fingerprint or face ID

  • OAuth – allows sign-in using external services (e.g. Google or Microsoft)

Authentication answers the question: Who are you?

Once authenticated, users receive a session token, cookie, or access token that the server checks on each request.

What is authorisation?

Authorisation controls what a user is allowed to do after they are authenticated.

Examples:

  • A student can view their own profile, but not others’

  • A teacher may access reporting features, but not edit account settings

  • An administrator has full access to the system

Authorisation answers the question: What are you allowed to do?

This is often managed using roles (e.g. student, editor, admin) and permissions defined by the server.

How tokens support both processes

In modern web applications:

  • The server issues a token (e.g. JWT – JSON Web Token) after login

  • This token is sent with each request to prove identity

  • The server checks the token and enforces access control based on user roles or permissions

Tokens are usually stored in the browser and expire after a set time to limit risk.

Summary

Authentication and authorisation are core components of secure web development. Authentication verifies who the user is, while authorisation limits what they can do. Together, they protect resources, enforce user roles, and ensure that data is only accessible to the right people.

Previous517.1 Encryption and certificatesNext517.3 Hashing and digital signatures

Last updated

Was this helpful?