PHP Login/Authentication/Sessions/API/Token -

i need develop secure login system.

i have api layer, , plan create token table. i'll send username/password (post) api , generate unique token (one time token limited time), return token in json.

my questions are:

1. what should saved in sessions while user logged in. want store little possible information. should save token only? safe?

2. i don't want store access levels , user info in session, need these info each time via token.. think? advice!

3. any other advice develop more secure login system.

thank in advance.

since you'd keep sessions logged in identification, encounter problem: clients can't kept session.

for example, cell phones, web-based app.

i'm creating similar project. , solution

1. creating table named session (or whatever want), keeps usertoken (randomly generated), userid, tokenexpire.
2. once user logged in, create record @ session table, , return token user (encoded json).
3. user keeps token own, , attached token on every request. (no matter body or header, i'm using header separate data).
4. check token every time before asking something. example, token exists? token expired? user blocked?
5. by step 4., can user querying relatively.

that solution. it's similar way.

additionally, improve security, follow ways if could

1. use ssl (http) secure connection between server , clients.
2. don't keep password plaintext. should encrypt them.
3. you can generate token longer possible.
4. the token field of session table, should case sensitive. change collation different _ci (means case insensitive)
5. check post data prevent sql injection. never trust users give you.

the instructions above fundamental. that.