quasiman Posted February 22, 2013 Share Posted February 22, 2013 Hi Everyone, To begin with, traditional basic PHP/MySql websites use stored usernames and passwords in their database for authentication, and create session values to grant user access, based on the username and a hash of the password. Now, the site I'm working on uses MySql for the session storage and brute force protection, but the username and password are not stored there. During the login process the username, password, and IP address are passed via cURL to an API, which responds with a temporary (about 5 minutes I think) token. My question is this. What's the best way to ensure the session is secure? I'm not storing the password locally, and obviously I can't keep it in session to revalidate at the API. Would it be secure "enough" if I simply store the token response in MySql? Maybe hash it together with the username, IP address, and browser agent? If I did that, at least with the next login the token would be different and a new hash created. Any ideas? Link to comment https://forums.phpfreaks.com/topic/274840-site-authentication-via-api-logic-advice/ Share on other sites More sharing options...
quasiman Posted February 22, 2013 Author Share Posted February 22, 2013 Oops...I just realized this is the wrong forum. Maybe a moderator can move it? Link to comment https://forums.phpfreaks.com/topic/274840-site-authentication-via-api-logic-advice/#findComment-1414301 Share on other sites More sharing options...
Christian F. Posted February 23, 2013 Share Posted February 23, 2013 Not a moderator, but moved it for you still. Link to comment https://forums.phpfreaks.com/topic/274840-site-authentication-via-api-logic-advice/#findComment-1414353 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.