Site authentication via API - logic advice
Posted 22 February 2013 - 06:30 PM
To begin with, traditional basic PHP/MySql websites use stored usernames and passwords in their database for authentication, and create session values to grant user access, based on the username and a hash of the password.
Now, the site I'm working on uses MySql for the session storage and brute force protection, but the username and password are not stored there. During the login process the username, password, and IP address are passed via cURL to an API, which responds with a temporary (about 5 minutes I think) token.
My question is this. What's the best way to ensure the session is secure? I'm not storing the password locally, and obviously I can't keep it in session to revalidate at the API. Would it be secure "enough" if I simply store the token response in MySql? Maybe hash it together with the username, IP address, and browser agent? If I did that, at least with the next login the token would be different and a new hash created.
Posted 22 February 2013 - 06:39 PM
Posted 23 February 2013 - 03:05 AM
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users