Authentication vs Authorization: Key Differences Explained

There is no system without users, right? But how do we verify whether the person trying to access the system is a user or not? And if they are a user, what permissions do they have?

Authentication and authorization are very important for creating a strong and secure system. To understand them well, you need to imagine the processes in detail.

We have a table in the database named "users" that contains all the system users, such as Admin, employee, customer, etc. All users in one table!? Yes, how do we distinguish between them? We create a column in the table named "userType" and store the type of registered user there.

Now, we will perform the authentication process. When a user logs into the system, they enter their username and password. The system takes the username and password and searches for them in the "users" table in the system's database. There are two possibilities: either the user is found or not. If the user is not found, a message is displayed to the person indicating that there is an error in the username or password. If the user is found, the system moves to the authorization phase. In this phase, we have confirmed that the person trying to access the system is a user, and we will grant them the appropriate permissions by going to their specific page in the "users" table and checking the "userType".

Are we done? Actually, no, because everything we did happened after a single request, which is the login process. Is it required for the system to do all this every time the user makes a request? Certainly not, that would be crazy. So, what is the solution?

After performing the authentication and authorization processes, we will give the user a session. The session is a small table that contains the user's information and permissions but in an encrypted form called a Token. This table is stored on the server where the system is hosted. When the user makes any request, the system checks for the existence of a session for this user, decrypts it, and reads the information inside it related to the user. When the user logs out, the system deletes their session, forcing the user to log in again and the system to perform authentication and authorization once more, and so on.

There is a lot of information about sessions that we will explain in upcoming articles.