Now that our Notes application can save its data in a database, we can think about the next phase of making this a real application, namely authenticating our users.
It's so natural to log in to a website to use its services. We do it every day, and we even trust banking and investment organizations to secure our financial information through login procedures on a website. HTTP is a stateless protocol, and a web application cannot tell much about one HTTP request versus another. Because HTTP is stateless, HTTP requests do not natively know whether the user driving the web browser is logged in, the user's identity, or even whether the HTTP request was initiated by a human being.
The typical method for user authentication is to send a cookie to the browser containing a token to carry user identity. The cookie needs to...