How to use tokens for authentication in API?

A

Artem2015-08-03 02:32:20

PHP

Artem, 2015-08-03 02:32:20

Hello.
I'm writing a RUSTful API in php, I'm stuck on session authentication. I have the following algorithm:
1. The client sends login, RSA (pass)
2. The server decrypts the password, hashes it, compares it in the database, in case of failure, sends an error to the client.
3.?? The server generates a random session identifier, writes it to the database (fields - user_id, sid, expired)
at this step, I don’t quite understand what session lifetime should be set
4. The server sends the client sid and expired, i.e. session id and time to live in seconds.
5. On subsequent requests, the client sends sid in the header/body of the request.
Hence the questions:
1. How to find the optimal session lifetime?
2. For requests with the current sid, should the session lifetime be increased?
3. In case of "death" of the session, the client must perform step 1 again? (Then the client must permanently store the login and encrypted password, right?)
4. How to protect the sid from being intercepted?
I ask for your help..

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

A

Anton B, 2015-08-03
@ber_enot

How did I.
I refused classic sessions when working through the API.
1. For authorization, the user enters a login password, the device sends them via https to account/auth
2. account/auth issues a token (token_id:token_val) and secret
3. the device sends all further requests via http specifying a token and signing requests using secret
How it works .
The server receives the request, sees that the token has arrived, splits it with a colon into input_id and input_val. Selects a token from the base with the received input_id, receives the value of token_val and secret from the base. Compares input_val and token_val. If there is a token with the required id in the database and the values of val are equal, it's time to check the validity of the request.
The client, in addition to the token, passed sign (signature), which was formed in the following way (for example) secret+api_path+query_param. On the server side, you know api_path and api_param, and secret is chosen from the database. Hashing the signature is accepted via hmac().
In addition to the token and signature, you can pass time and also put it in sign, and on the server side, cut off requests for requests that are more than 60 seconds.
Thus.
If someone is listening to your channel, they will not be able to forge requests (and therefore compromise), and due to the request lifetime check, they will not be able to forever receive data on a request once intercepted.
And you can store tokens in the database until the client himself requests their destruction and save the time of the last access through the token, and delete tokens that have not been used for more than 60 days.

D

Dmitry, 2015-08-03
@EvilsInterrupt

Writing a RUSTful API in php, stuck on session authentication

Are you sure you understand what REST is? You write anything, but not REST! One of the requirements for REST is stateless . In other words, your requests ALREADY have everything you need to perform the operation, and the same will be in the answer "either come later" or "keep the result of the request for the operation." There is no such term in REST as a session. If you succeeded, then you did not write REST

M

matperez, 2015-08-03
@matperez

Look here https://github.com/firebase/php-jwt and here www.sitepoint.com/php-authorization-jwt-json-web-t...

A

Andrey K, 2017-12-03
@kuftachev

As I understand it, the answer is no longer relevant, but still REST rather implies a thick client, so it should not store the state. Yii2 can do authentication for REST out of the box, other frameworks, I think, too.