user1995848 user1995848 -4 years ago 156
PHP Question

PHP slim app login

I am developing a web application that requires a user to login.

I currently have it set up that once the user has verified that ther user name and password is correct, a unique code is sent to the client side. This then allows them to make calls to the server for the relivant data. Currently the key is stored in localStorage while the user is logged in.

so the question is, is that a safe place to store that key?

forgot to add the keys are generated when the user is logged in, this are all unique and store in the database alone side the the userid and an exspire data. the keys are also deleted once the user logs out or after X amount of time inactive.

Answer Source

Its best not to store the client token in the server. Keep a key used for creating the token in the server and for authenticating the client request, make the client send the token and recreate the token value with the key and complete the authentication.

You can add any level of complexity to this process or to keep it simple, you can use a token based authentication method.

It could be explained as below.

The general concept behind a token-based authentication system is simple. Allow users to enter their username and password in order to obtain a token which allows them to fetch a specific resource - without using their username and password. Once their token has been obtained, the user can offer the token - which offers access to a specific resource for a time period - to the remote site.

Read more

Now let's see what are the steps of implementing it in your REST web service.

It will use the following flow of control:

  • The user provides a username and password in the login form and clicks Log In.
  • After a request is made, validate the user on the backend by querying in the database.
  • If the request is valid, create a token by using the user information fetched from the database, and then return that information in the response header so that we can store the token browser in local storage.
  • Provide token information in every request header for accessing restricted endpoints in the application.
  • If the token fetched from the request header information is valid, let the user access the specified end point, and respond with JSON or XML.

Token authentication flow

JWT stands for JSON Web Token and is a token format used in authorization headers. This token helps you to design communication between two systems in a secure way. Let's rephrase JWT as the "bearer token" for the purposes of this tutorial. A bearer token consists of three parts: header, payload, and signature.

  • The header is the part of the token that keeps the token type and encryption method, which is also encrypted with base-64.
  • The payload includes the information. You can put any kind of data like user info, product info and so on, all of which is stored with base-64 encryption.
  • The signature consists of combinations of the header, payload, and secret key. The secret key must be kept securely on the server-side. You can see the JWT schema and an example token below

Look up php-jwt. You can implement the token generator with it.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download