Enhancing Web Security and Performance with Hybrid Stateless Authentication

Authors

  • Benedictus Mario Universitas Ciputra Surabaya
  • Trianggoro Wiradinata Universitas CIputra Surabaya
  • Christian Christian Universitas Ciputra Surabaya

DOI:

https://doi.org/10.30871/jaic.v9i3.9251

Keywords:

Authentication, Authorization, Identity Access and Management, Security, Stateless Token Revocation

Abstract

Ensuring operational integrity across industries and protecting sensitive data require strong authentication systems. This paper presents a novel hybrid stateless authentication method that integrates binary payloads, token specifications, and database solutions. By employing a distinctive expiration policy, our proposed approach overcomes limitations inherent in traditional token revocation strategies while achieving token verification speeds that are up to 86 times faster than conventional statefull session-based methods. Overall, through uniformed benchmarking experiments and a comprehensive review of the literature substantiate the performance and security advantages of our method. Ultimately, this hybrid technique offers a more scalable and secure framework for authentication management, enabling efficient and flexible deployment in high-demand distributed environments.

Downloads

Download data is not yet available.

References

[1] L. C. Hamit, H. Md. Sarkan, N. F. Mohd Azmi, M. N. Mahrin, S. Chuprat, and Y. Yahya, “Adopting ISO/IEC 27005:2011-based Risk Treatment Plan to Prevent Patients Data Theft,” Int. J. Adv. Sci. Eng. Inf. Technol., vol. 10, no. 3, pp. 914–919, Jun. 2020, doi: 10.18517/ijaseit.10.3.10172.

[2] M. Nicho, H. Fakhry, and C. Haiber, “An Integrated Security Governance Framework for Effective PCI DSS Implementation:,” Int. J. Inf. Secur. Priv., vol. 5, no. 3, pp. 50–67, Jul. 2011, doi: 10.4018/jisp.2011070104.

[3] Y. Yang, “Security Evaluation of Financial and Insurance and Ruin Probability Analysis Integrating Deep Learning Models,” Comput. Intell. Neurosci., vol. 2022, pp. 1–10, Jun. 2022, doi: 10.1155/2022/1857100.

[4] D. Hühnlein, T. Wich, J. Schmölz, and H.-M. Haase, “The evolution of identity management using the example of web-based applications,” It - Inf. Technol., vol. 56, no. 3, pp. 134–140, Jun. 2014, doi: 10.1515/itit-2013-1036.

[5] A. Petcu, B. Pahontu, M. Frunzete, and D. A. Stoichescu, “A Secure and Decentralized Authentication Mechanism Based on Web 3.0 and Ethereum Blockchain Technology,” Appl. Sci., vol. 13, no. 4, p. 2231, Feb. 2023, doi: 10.3390/app13042231.

[6] C. A. Ardagna, E. Damiani, S. De Capitani Di Vimercati, F. Frati, and P. Samarati, “CAS++: An Open Source Single Sign-On Solution for Secure e-Services,” in Security and Privacy in Dynamic Environments, vol. 201, S. Fischer-Hübner, K. Rannenberg, L. Yngström, and S. Lindskog, Eds., in IFIP International Federation for Information Processing, vol. 201. , Boston, MA: Springer US, 2006, pp. 208–220. doi: 10.1007/0-387-33406-8_18.

[7] T. Bazaz and A. Khalique, “A Review on Single Sign on Enabling Technologies and Protocols,” Int. J. Comput. Appl., vol. 151, no. 11, pp. 18–25, Oct. 2016, doi: 10.5120/ijca2016911938.

[8] A. R. Pratama, F. M. Firmansyah, and F. Rahma, “Security awareness of single sign-on account in the academic community: the roles of demographics, privacy concerns, and Big-Five personality,” PeerJ Comput. Sci., vol. 8, p. e918, Mar. 2022, doi: 10.7717/peerj-cs.918.

[9] Associate Professor of Information Technology, Faculty of Computers & Informatics, Zagazig University, Egypt, .. E., Professor of Information Technology, Faculty of Computers & Informatics, Zagazig University, Egypt, .. W., Department of Information Technology, Faculty of Computers & Informatics, Zagazig University, Egypt, and N. Salah, “Managing a Secure Refresh Token Implementation with JSON Web Token in REST API,” Int. J. Wirel. Ad Hoc Commun., pp. 01–20, 2021, doi: 10.54216/IJWAC.020101.

[10] I. P. A. Pratama, L. Linawati, and N. P. Sastra, “Token-based Single Sign-on with JWT as Information System Dashboard for Government,” TELKOMNIKA Telecommun. Comput. Electron. Control, vol. 16, no. 4, p. 1745, Aug. 2018, doi: 10.12928/telkomnika.v16i4.8388.

[11] Faculty of Computers ; Informatics, Zagazig University, Department of Information Technology and A. Admin, “Managing a Secure JSON Web Token Implementation By Handling Cryptographic Key Management for JWT Signature in REST API: : A survey,” J. Cybersecurity Inf. Manag., p. PP. 5-17, 2021, doi: 10.54216/JCIM.060101.

[12] M. Jones, J. Bradley, and N. Sakimura, “JSON Web Signature (JWS),” RFC Editor, RFC7515, May 2015. doi: 10.17487/RFC7515.

[13] M. Jones, J. Bradley, and N. Sakimura, “JSON Web Token (JWT),” RFC Editor, RFC7519, May 2015. doi: 10.17487/RFC7519.

[14] M. Jones and J. Hildebrand, “JSON Web Encryption (JWE),” RFC Editor, RFC7516, May 2015. doi: 10.17487/RFC7516.

[15] S. Dalimunthe, J. Reza, and A. Marzuki, “Model for Storing Tokens in Local Storage (Cookies) Using JSON Web Token (JWT) with HMAC (Hash-based Message Authentication Code) in E-Learning Systems,” J. Appl. Eng. Technol. Sci. JAETS, vol. 3, no. 2, pp. 149–155, Jun. 2022, doi: 10.37385/jaets.v3i2.662.

[16] S. Dalimunthe, E. Hasri Putra, and M. A. Fadhly Ridha, “Restful API Security Using JSON Web Token (JWT) With HMAC-Sha512 Algorithm in Session Management,” IT J. Res. Dev., vol. 8, no. 1, pp. 81–94, Dec. 2023, doi: 10.25299/itjrd.2023.12029.

[17] E. Al. Manish Rana, “Enhancing Data Security: A Comprehensive Study on the Efficacy of JSON Web Token (JWT) and HMAC SHA-256 Algorithm for Web Application Security,” Int. J. Recent Innov. Trends Comput. Commun., vol. 11, no. 9, pp. 4409–4416, Nov. 2023, doi: 10.17762/ijritcc.v11i9.9930.

[18] L. V. Jánoky, J. Levendovszky, and P. Ekler, “An analysis on the revoking mechanisms for JSON Web Tokens,” Int. J. Distrib. Sens. Netw., vol. 14, no. 9, p. 155014771880153, Sep. 2018, doi: 10.1177/1550147718801535.

[19] L. V. Jánoky, P. Ekler, and J. Levendovszky, “Evaluating the Performance of Novel JWT Revocation Strategy,” Acta Cybern., vol. 25, no. 2, pp. 307–318, Aug. 2021, doi: 10.14232/actacyb.289455.

[20] S. Fugkeaw, S. Rattagool, P. Jiangthiranan, and P. Pholwiset, “FPRESSO: Fast and Privacy-Preserving SSO Authentication With Dynamic Load Balancing for Multi-Cloud-Based Web Applications,” IEEE Access, vol. 12, pp. 157888–157900, 2024, doi: 10.1109/ACCESS.2024.3485996.

[21] A. Hauser, “JWT Issues Using JWTs as Session Tokens,” JWT Issues Using JWTs as Session Tokens. Accessed: Nov. 11, 2024. [Online]. Available: https://www.scip.ch/en/?labs.20211014

[22] PortSwigger, “Jwt Attack,” Jwt Attack. Accessed: Nov. 11, 2024. [Online]. Available: https://portswigger.net/web-security/jwt

[23] E. Pot, “JWT should not be your default for sessions,” JWT should not be your default for sessions. Accessed: Nov. 11, 2024. [Online]. Available: https://evertpot.com/jwt-is-a-bad-default/

[24] S. Slootweg, “Stop using JWT for sessions,” Stop using JWT for sessions. Accessed: Nov. 11, 2024. [Online]. Available: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/

[25] S. Slootweg, “Stop using JWT for sessions, part 2: Why your solution doesn’t work,” Stop using JWT for sessions, part 2: Why your solution doesn’t work. Accessed: Nov. 11, 2024. [Online]. Available: http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/

[26] P. Costanza, C. Herzeel, and W. Verachtert, “Comparing Ease of Programming in C++, Go, and Java for Implementing a Next-Generation Sequencing Tool,” Evol. Bioinforma., vol. 15, p. 1176934319869015, Jan. 2019, doi: 10.1177/1176934319869015.

[27] F. Dahunsi, J. Idogun, and A. Olawumi, “Commercial Cloud Services for a Robust Mobile Application Backend Data Storage,” Indones. J. Comput. Eng. Des. IJoCED, vol. 3, no. 1, pp. 31–45, Apr. 2021, doi: 10.35806/ijoced.v3i1.139.

[28] S. Alraddadi and S. Almotairi, “Performance Evaluation for MongoDB and Redis: A Comparative Study,” J. Eng. Appl. Sci., vol. 14, no. 19, pp. 7218–7222, Oct. 2019, doi: 10.36478/jeasci.2019.7218.7222.

[29] G. K. Spal, “Performance Evaluation of Redis and MongoDB Databases for Handling Semi-structured Data,” Int. J. Res. Appl. Sci. Eng. Technol., vol. 6, no. 6, pp. 1255–1260, Jun. 2018, doi: 10.22214/ijraset.2018.6184.

[30] Mika Tuupola, “Branca as an Alternative to JWT?,” Branca as an Alternative to JWT? Accessed: Feb. 19, 2025. [Online]. Available: https://www.appelsiini.net/2017/branca-alternative-to-jwt/

[31] Daniel Albuschat, “ChaCha,” ChaCha. Accessed: Feb. 18, 2025. [Online]. Available: https://www.cryptography-primer.info/algorithms/chacha/

[32] KDDI Research, Inc., “Security Analysis of ChaCha20-Poly1305 AEAD,” Feb. 2017, Accessed: Feb. 18, 2025. [Online]. Available: https://www.cryptrec.go.jp/exreport/cryptrec-ex-2601-2016.pdf

[33] A. Auernhammer, Chacha20Poly1305. Accessed: Feb. 13, 2025. [Online]. Available: https://github.com/aead/chacha20poly1305

[34] J.-P. Aumasson, S. Fischer, S. Khazaei, W. Meier, and C. Rechberger, “New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba,” in Fast Software Encryption, vol. 5086, K. Nyberg, Ed., in Lecture Notes in Computer Science, vol. 5086. , Berlin, Heidelberg: Springer Berlin Heidelberg, 2008, pp. 470–488. doi: 10.1007/978-3-540-71039-4_30.

[35] Y. Nir and A. Langley, “ChaCha20 and Poly1305 for IETF Protocols,” RFC Editor, RFC8439, Jun. 2018. doi: 10.17487/RFC8439.

[36] D. A. N. Gookyi and K. Ryoo, “The Hardware Implementation of NIST Lightweight Cryptographic Candidate SpoC for loT Devices,” IJASC, vol. 3, no. 1, pp. 11–20, Mar. 2021, doi: 10.22662/IJASC.2021.3.1.011.

[37] D. Eddelbuettel, M. Stokely, and J. Ooms, “RProtoBuf : Efficient Cross-Language Data Serialization in R,” J. Stat. Softw., vol. 71, no. 2, 2016, doi: 10.18637/jss.v071.i02.

[38] C. Manso, R. Vilalta, R. Casellas, R. Martinez, and R. Munoz, “Cloud-native SDN Controller Based on Micro-Services for Transport Networks,” in 2020 6th IEEE Conference on Network Softwarization (NetSoft), Ghent, Belgium: IEEE, Jun. 2020, pp. 365–367. doi: 10.1109/NetSoft48620.2020.9165377.

[39] B. Charyyev, E. Arslan, and M. H. Gunes, “Latency Comparison of Cloud Datacenters and Edge Servers,” in GLOBECOM 2020 - 2020 IEEE Global Communications Conference, Taipei, Taiwan: IEEE, Dec. 2020, pp. 1–6. doi: 10.1109/GLOBECOM42002.2020.9322406.

Downloads

Published

2025-06-03

How to Cite

[1]
B. Mario, T. Wiradinata, and C. Christian, “Enhancing Web Security and Performance with Hybrid Stateless Authentication”, JAIC, vol. 9, no. 3, pp. 611–616, Jun. 2025.

Issue

Vol. 9 No. 3 (2025): June 2025

Section

Articles

License

Copyright (c) 2025 Benedictus Mario, Trianggoro Wiradinata, Christian Christian

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Authors who publish with this journal agree to the following terms:

  • Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License (Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) ) that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
  • Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
  • Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).

Similar Articles

1 2 3 4 5 > >> 

You may also start an advanced similarity search for this article.