Jump to content


Photo

Site authentication via API - logic advice


  • Please log in to reply
2 replies to this topic

#1 quasiman

quasiman

    Advanced Member

  • Members
  • PipPipPip
  • 189 posts
  • LocationPortland, Oregon

Posted 22 February 2013 - 06:30 PM

Hi Everyone,

To begin with, traditional basic PHP/MySql websites use stored usernames and passwords in their database for authentication, and create session values to grant user access, based on the username and a hash of the password.

Now, the site I'm working on uses MySql for the session storage and brute force protection, but the username and password are not stored there. During the login process the username, password, and IP address are passed via cURL to an API, which responds with a temporary (about 5 minutes I think) token.

My question is this. What's the best way to ensure the session is secure? I'm not storing the password locally, and obviously I can't keep it in session to revalidate at the API. Would it be secure "enough" if I simply store the token response in MySql? Maybe hash it together with the username, IP address, and browser agent? If I did that, at least with the next login the token would be different and a new hash created.

Any ideas?

#2 quasiman

quasiman

    Advanced Member

  • Members
  • PipPipPip
  • 189 posts
  • LocationPortland, Oregon

Posted 22 February 2013 - 06:39 PM

Oops...I just realized this is the wrong forum. Maybe a moderator can move it?

#3 Christian F.

Christian F.

    Advanced Member

  • Staff Alumni
  • 3,106 posts
  • LocationNorway

Posted 23 February 2013 - 03:05 AM

Not a moderator, but moved it for you still. ;)
Keeping it simple.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com