On many applications I’ve worked on, Authentication is a big pain.
- Usually its an usability hazard. (No one likes to authenticate themselves over and over again)
- Since its a cross-cutting concern and every application has some special logic for authentication, we spend way too much time hand crafting the best strategy to implement and test it to make sure our application is secure.
- When you have multiple applications and you want to implement single-sign-on, the pain just exponentially amplifies.
- On high scalability apps, Authentication (session validation) can be expensive from performance point of view
In the search of simplicity, I’m wondering if there are alternative techniques to implement authentication on certain types of applications.
One thought comes to my mind, which I’m curious to try. I’ll start with a very specific example and then expand it to other applications.
While building web applications in the category of social networking or eLearning or some other category, where retrieving data from the app is not very critical from a security point of view:
Even if you have a stale session cookie, GET request works fine without requesting you to authenticate. Only when you POST, authentication kicks in.
This approach will certainly not work for a banking application, where reads also have to be very secure. But for many application reads don’t need to be very secure. Also most applications have relative very small number of POST requests, which means very few times the user would be nudged to authenticate themselves. Most RESTful frameworks can have this built in.
Can this approach be used for rich-client apps instead of just web-apps? I think so.
What am I missing?