How to do authorization on the site?

L

lexstile2018-04-14 19:27:31

PHP

lexstile, 2018-04-14 19:27:31

Now, upon successful authorization, I create a token, write it to the database (different for each authorization) and to cookies, then simply compare from the database and from cookies (without hashing and the like). I don't think this should be done from a security point of view.
I will add that authorization is through the API, so without a password.
How to make it more or less safe?
PS I thought about hashing, but I don't really understand:
1. Do we store a hash or a token in the database? (If you store a hash, what's the point of hashing? I think it's a pure token.)
2. Do we store a hash or a token in cookies? (here, I think, hash)
3. Compare the hash from the cookies with the hash of the token from the database?
Will this procedure improve security or not? (Comparing with the current one, described above)

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

D

DamskiyUgodnik, 2018-04-16
@lexstile

I would do this:
1. Authorize the user
2. Give him a token (in cookies) and write it to the database as active
3. Check the token from the cookies with the token from the database (for requests)
As far as I know, vk works like this the same scheme (at least outwardly it looks like this).
If you want to make it even more secure, you can limit the session by time (more precisely, the token in the database) + check the browser + ip (if it changes, log out by deleting the token from the database). But here users with dynamic ip may already have problems. Here it is already necessary to look at what is more important, data security or user convenience.