10

I'm a beginner to Laravel 4 framework and PHP.

Currently, I'm trying to do a simple authentication process between client application and server.

Below is my planned approach:

  1. Client logs in to server via GET request with username and password.

  2. Server validates and returns a token string if successful. The token string will be encoded (hashed?) with the username, password and expiration time.

  3. Client submits a request, including the given token. Server will validate token (decode it -> check username/password and expired time). If successful, it will process the client's request.

What is the best way to generate the token with the above parameters given, and decode it at the server side?

Thank you, and I appreciate your time and help.

Improve this question
1
  • If you'r passing usernames and passwords around with each request, you may want to consider using multiple salts/encryptions. You could look at laravel libraries but from a pure PHP perspective you could look at the new password_hash function set built into PHP 5.5 at php.net/manual/en/book.password.php and its foward compatability libary for PHP 5.3.7+ at github.com/ircmaxell/password_compat Commented Sep 19, 2013 at 16:06

2 Answers 2

Reset to default
11

I don't think it is good idea to store user name and password encoded in some kind of token. Instead generate random token after successful login and store data related to the token on server side.

You may store record about each login into some table with columns token, user_id, valid_until. After each request, look for token in the database, check if it is still valid and use user_id for authentication.

You may think of token as one-time user and password, e.g. consider first 8 characters of token as temporary user name and the rest as password, if you feel uneasy about allowing access without password :)

Also you may want to run some cron job to remove expired records from database every day or so.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Wouldn't this violate the principle that REST is supposed to be stateless?
Agree auth @Hephistocles, REST is stateless. It would be better to send username and password or a key in HTTP headers if authentication is required.
1

You can use JWT JSON web Tokens for authentication to eliminate sessions and cookies completely. Similar approach is used by Facebook. Once you login with email and pwd you get a Web Token so even if its hacked you can't get the pwd from it. You can set a time limit to expire the token.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.