PHP Login/Authentication/Sessions/API/Token -
i need develop secure login system.
i have api layer, , plan create token table. i'll send username/password (post) api , generate unique token (one time token limited time), return token in json.
my questions are:
what should saved in sessions while user logged in. want store little possible information. should save token only? safe?
i don't want store access levels , user info in session, need these info each time via token.. think? advice!
any other advice develop more secure login system.
thank in advance.
since you'd keep sessions logged in identification, encounter problem: clients can't kept session.
for example, cell phones, web-based app.
i'm creating similar project. , solution
- creating table named
session
(or whatever want), keepsusertoken
(randomly generated),userid
,tokenexpire
. - once user logged in, create record @
session
table, , return token user (encodedjson
). - user keeps
token
own, , attachedtoken
on every request. (no matter body or header, i'm using header separate data). - check
token
every time before asking something. example,token
exists?token
expired? user blocked? - by step 4., can user querying relatively.
that solution. it's similar way.
additionally, improve security, follow ways if could
- use
ssl
(http) secure connection between server , clients. - don't keep
password
plaintext. should encrypt them. - you can generate
token
longer possible. - the
token
field ofsession
table, should case sensitive. change collation different_ci
(means case insensitive) - check
post
data preventsql injection
. never trust users give you.
the instructions above fundamental. that.
Comments
Post a Comment