Authentication versus Authorization

Authentication is the process of ascertaining that somebody really is who they claim to be.

Authorization refers to rules that determine who is allowed to do what. E.g. Adam may be authorized to create and delete databases, while Usama is only authorised to read.

The two concepts are completely orthogonal and independent, but both are central to security design, and the failure to get either one correct opens up the avenue to compromise.

In terms of web apps, very crudely speaking, authentication is when you check login credentials to see if you recognize a user as logged in, and authorization is when you look up in your access control whether you allow the user to view, edit, delete or create content.

Related Posts:

  1. What is the purpose of having a token in cookies?
  2. How to secure or disable the RSS feeds?
  3. Log in from one wordpress website to another wordpress website
  4. How does ifttt.com authenticate a supplied WordPress account
  5. how can i embed wordpress backend in iframe
  6. Security error WP 4.0 + WP phpBB Bridge [closed]
  7. How to force Authentication on REST API for Password protected page using custom table and fetch() without Plugin
  8. How do I authenticate WP users from a chrome extension?
  9. Best Way to Enable Two Step Authentication
  10. Restricting access to content
  11. Single sign-on: wp_authenticate_user vs wp_authenticate
  12. How does the “authentication unique keys and salts” feature work?
  13. WordPress Authentication Middleware
  14. Auth cookie value security risk?
  15. Authentication with the Rest API when using an External Application
  16. How to force JWT auth for default GET endpoints of WordPress rest api?
  17. Why can’t I access my Intranet LDAPS with NADI?
  18. Auto log in hook is requiring a page refresh
  19. Requiring Authentication for Parts of WordPress Site
  20. Secruity Questions on a timer
  21. How are readers authenticated for leaving comments?
  22. Where is the php file, that does the checks for login information?
  23. Uploading attachment (pdf) and prevent download for anonymous user
  24. wp_nonce vs jwt
  25. prevent anonymous access to WordPress site (non-admin site)
  26. Basic Auth .htaccess on wp-login, but allow logout from woocommerce
  27. how to add security questions on wp-registration page and validate it
  28. Password Protected Page + Showing Different Page If Not Authenticated/Authorized
  29. Usage of wp_send_json_success and wp_redirect at the same time
  30. Securely log in a user without a password using a link?
  31. Properly process a custom WP REST API request (Authenticate, Authorize + Validate)?
  32. Authenticate + Authorize WP REST API request before built-in WP JSON Schema Payload Validation?
  33. How do I deal with a compromised server?
  34. What is the difference between authentication and authorization?
  35. How to inspect remote SMTP server’s TLS certificate?
  36. Dealing with HTTP w00tw00t attacks
  37. Why is SSH password authentication a security risk?
  38. WordPress User Registration/ Sign Up -> Able to take Paid Certification Courses & keep track of Completed Certificates
  39. How can I enforce user to use Application password to generate JWT token? [closed]
  40. How to accept space in regex?
  41. Is a wildcard CNAME DNS record valid?
  42. segmentation fault 11 in C++ on Mac
  43. How to append text to a text file in C++?
  44. expected assignment or function call: no-unused-expressions ReactJS
  45. How do I learn WebGL the fast way?
  46. How to solve “Kernel panic – not syncing – Attempted to kill init” — without erasing any user data
  47. fix java.net.SocketTimeoutException: Read timed out
  48. Sqoop Incremental Import
  49. What is process.env.PORT in Node.js?
  50. simple IPython example raises exception on sys.exit()
  51. How to get a minecarft session ID?
  52. Factory Pattern. When to use factory methods?
  53. How to send a PUT/DELETE request in jQuery?
  54. Python: What OS am I running on?
  55. ER-Diagram: Ternary Relationship – How to read properly?
  56. How can I diff 2 files while ignoring leading white space
  57. Error `sec_error_revoked_certificate` when viewed in Firefox only
  58. Converting time stamps in excel to dates
  59. Why define PI = 4*ATAN(1.d0)
  60. Java: Not a statement
  61. Subscribe to email for security fixes?
  62. Share same domain for wp-admin but for different website
  63. How to apply a patch?
  64. Make password invalid once logged out of password-protected page
  65. Storing Dropbox Authentication?
  66. How to change WordPress user ID?
  67. Do I need to use the esc_html() function on hard coded links?
  68. WordPress restrict plugin file direct access
  69. Correct way check nonce (security) using old Options API
  70. site get login attempts after htaccess ip restriction
  71. How can I trash multiple posts at once from the front end?
  72. Changing Table Prefix for an Existing WordPresss Site
  73. Remove style `?ver=` from `/wp-admin/upgrade.php`
  74. Generating an nonce for Content Security Policy and all scripts – How to make it match/persist for each page load?
  75. 404 redirect wp-login and wp-admin after changing login url [closed]
  76. How to add API security keys into JS of wordpress securely
  77. How to get a value from wp_dropdown_user?
  78. Login cookies blocked after customizing hashing method
  79. Can someone do something to my website if I posted a snapped image of the header and covered my logo? (On reddit, when explaining a question)
  80. Blocking wp-login in HTACCESS has also blocked password protected pages
  81. Extend Cookie with auth_cookie_expiration not working
  82. WordPress Commenting System User access and Security
  83. Hide wp-login.php but not the widget
  84. How to rename the WordPress wp-login.php running on IIS6?
  85. File permissions for wp-minify plugin
  86. How to change an EC2 instance’s security group
  87. What type of DNS record is needed to make a subdomain?
  88. Multiple SSL domains on the same IP address and same port?
  89. IPTABLES – Limit rate of a specific incoming IP
  90. How to set default Ansible username/password for SSH connection?
  91. Can I make `find` return non-0 when no matching files are found?
  92. Proxy Error 502 “Reason: Error reading from remote server” with Apache 2.2.3 (Debian) mod_proxy and Jetty 6.1.18
  93. What is the difference between service and systemctl?
  94. Rsync creates a directory with the same name inside of destination directory
  95. How Often Do Windows Servers Need to be Restarted?
  96. sudoers: how to disable requiretty per user
  97. dig show only answer
  98. SSD or HDD for server
  99. Do you have any useful awk and grep scripts for parsing apache logs? [closed]
  100. How to address security vulnerabilities: LUCKY13, BEAST, and BREACH

Leave a Comment