What actually happens when you click ‘Login’?

Most people think login is simple.
Enter email → enter password → access granted.

But here’s what actually happens behind the scenes

1. You click “Login”
   Your browser sends a request to the server (a powerful, specialised computer or software system that stores, manages, and delivers data, files, and services to other computers (clients) over a network).

2. The server receives your data
   (email + password)

3. The password is NOT compared directly
   It is hashed and then compared with the stored hash

4. If it matches
   The server creates a session (represents a specific time period that a user spends on a website) or a token (It is a self-contained digital key that proves your identity without the server needing to look up your information in a database every time. )

5. That token is sent back to your browser

6. Every future request includes that token
   So the server knows it’s you

That’s it—but also not that simple.

Because things can go wrong:

• Wrong hashing method
• No token expiration
• Poor validation

And suddenly your app is not secure.

Tomorrow: I’ll explain the difference between authentication and authorization.