Later chapters provide detailed examples of the
authentication methods introduced in this chapter.Custom Tokens
A custom token allows a user to enter his or her
username and password once and receive a unique auto-
generated and encrypted token. The user can then use
this token to access protected pages or resources instead
of having to continuously enter the login credentials.
Tokens can be time bound and set to expire after a
specific amount of time has passed, thus forcing users to
reauthenticate by reentering their credentials. A token is
designed to show proof that a user has previously
authenticated. It simplifies the login process and reduces
the number of times a user has to provide login
credentials. A token is stored in the user’s browser and
gets checked each time the user tries to access
information requiring authentication. Once the user logs
out of the web browser or website, the token is destroyed
so it cannot be compromised. Figure 6-5 provides an
overview of token-based authentication between a client
and a server.