It is one thing to worry about security on your company's network, but it is another thing to worry about security in a Web application. Connections can come from anyplace in the world, and the possibility of data interception exists anywhere along that connection path . It is also more difficult in a Web application to know where the user is. On your company's network, if it is a LAN, you know that they are in the building or somewhere close by.
Authentication is one of the foremost components of a Web application's security. This authentication takes two forms: server authentication and client authentication .
A client machine can surf to many Web sites without fear of who is managing the site and its content. But when it comes to sending sensitive information, such as Social Security numbers and credit card numbers , clients are much more concerned about verifying the identity of the Web application with which they are interacting.
The other side of the coin appears when the client is trying to access information that is itself sensitive; medical records would be a good example. A physician somewhere might be trying to access the medical records for one of her patients . This could include X-rays, former diagnoses, and similar information. If the wrong person were to gain access to these records, the patient's confidentiality would be violated.
Other examples of when the server must verify identity is when the client is trying to access some sort of premium content, such as real-time stock quotes, online games , or patent information. When a client tries to gain access to premium content, the Web application must verify who this person is and that he has access to the premium content. It is fair to say that there is no one single correct way to secure these items. Each Web application, and each part of a Web application, might have a different approach to Web security, depending on the need. The general rule is to require the least amount of security for the situation. This normally requires less of users in the way of logging on, and requires less of the server in regard to maintaining the security.
Web application developers should always be aware of the level of security that is required for a situation. They should add only the security services that are necessary. Each additional security requirement makes your application more complex and can have significant impact on its design.