3

I'm sorry to put another REST Authenticate question on the website but I really need to get a complete answer. I have a REST API in which I try to log in a single page website (through jquery).

I want to create a token based authentication, but there is some step I still can't understand.

At first, do I have to make a normal authentication to get and store in db the user login/password ? Do I have to use the user session to store the token ? Does someone have an exemple of php code that I can use ?

source :

----------- EDIT ---------------

Ok, I have some news to add.

  • First, Yes I have to make a normal authentification by sending the pair login, sha1(login+passwd)
  • After, No, never use the session like a secure way to store data, the login and sha1(login+passwd) will be store in database or in a application scope storing solution, like an haspmap.
  • But I still need you if you have a piece of php code. It's the reason why I put my answer as an edit.
Improve this question

1 Answer 1

Reset to default
4

Oh, I just see the badge "no view and no answer for a long time" and it bring me back here. I've finally found the answer :

The register is something you do only one time so you can send the hash key without a really good protection. (I mean against sniffing).

So here is the scenario to register :

  • Client enter login and password
  • Client sends login, hash (sha256(login + password))
  • The server store this pair in database (you can cache it in hashmap to increase speed)

Now for the login

  • Client : ask for a session salt throught a rest service or hidden field in html page.
  • Server : generate the salt from datetime and random and store in session
  • Client enter the login and password
  • Client javascript hash sha256(sha256(login + password) + salt) and store the pair (login, hash) in the localstorage (html5, be carefull to modernizer or other stuff like this, this pair need to stay private)
  • Server check if (sha256(stored_hash_for_login + salt_in_session) == hash received)
  • Server : if it's ok store the token shared with the Client
  • Client logged in

Now Everytime the client want to make a authenticate request, he will use the following method :

  • get the pair (login, token) from localstorage
  • generate a hash of is request like this :
  • hash_request = sha256(login + sha256(token + timestamp) + sha256(token + paramA) + ...)
  • The param need to be in alphabetic order.

The Server receive the request (login, timestamp, params, hash_request), check if the timestamp is not too old and do the generate the hash_request from the token in hashmap for the login and check if it the same. In this way, you avoid the replay (timestamp) and the clear password.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.