AuthN, AuthZ, sessions & JWT
Core details
AuthN verifies identity; AuthZ evaluates per-object permissions (never only coarse roles if data is multi-tenant sensitive).
Cookie session (HttpOnly, Secure, SameSite) resists trivial JS exfiltration yet requires CSRF defenses for ambient credentialed writes.
JWT / opaque bearer tokens simplify cross-service hops but stored in JS memory/localStorage worsen XSS blast—pair with short TTL + rotation + hardened XSS surface.
Validate JWT claims: iss, aud, exp (and nbf when used), verify signatures with rotation via kid—never “decode-only” pretending that is security.
Understanding
Authorization belongs next to authoritative data, not sprinkled only at the edge—duplicated FE checks diverge silently. JWT “statelessness” trades away instant revocation unless you add short TTL + refresh choreography or explicit revocation infrastructure—say that plainly in interviews.
Senior understanding
| Prompt | Response shape |
|---|---|
| IDOR | demonstrate object-level test matrix mentally |
| Broken logout | server-side session invalidation semantics |
| Tenant isolation | predicates + integration tests blocking cross reads |
Link to /security for browser attack coupling when FE stores tokens.
Diagram
See also
Spotted something unclear or wrong on this page?