Jump to content

Site authentication via API - logic advice


quasiman

Recommended Posts

Hi Everyone,

 

To begin with, traditional basic PHP/MySql websites use stored usernames and passwords in their database for authentication, and create session values to grant user access, based on the username and a hash of the password.

 

Now, the site I'm working on uses MySql for the session storage and brute force protection, but the username and password are not stored there. During the login process the username, password, and IP address are passed via cURL to an API, which responds with a temporary (about 5 minutes I think) token.

 

My question is this. What's the best way to ensure the session is secure? I'm not storing the password locally, and obviously I can't keep it in session to revalidate at the API. Would it be secure "enough" if I simply store the token response in MySql? Maybe hash it together with the username, IP address, and browser agent? If I did that, at least with the next login the token would be different and a new hash created.

 

Any ideas?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.