Mobile application: how to know that the user is the one?

J

John Smith2016-12-12 14:34:59

PHP

John Smith, 2016-12-12 14:34:59

Hello everyone,
Sorry in advance for the confusion :)
there is an application in which users can read / write their data to the database.
wordpress is used as a backend,
in fact, not quite - we write and change the data in the table of one plugin installed on the site.
before changing the data, we must know who this user is, since we only change our data.
I made a script and turned it into a template, assigned it to the vp page and passing a simple get request with a username to this address, this issue is resolved,
the script finds this user and the changes are written where necessary. (it seems the approach is so-so with the template, but that was the first thing that came to my mind)
but this is not safe, and I would like a more stringent check. well, not just transfer the nickname to the server and what needs to be changed, but also the password.
so that the script not only finds the user, but also checks for a password match.
well, i.e. essentially like a login. the fact is that I have no experience in this, I
started digging and realized that basic authentication will not work - it's too easy to get a password.
I also thought about transmitting a password but well protected with a bcrypt, for example. But I still don't think it's safe.
Well, send the password or its hash with the request, albeit in the header.
Today I'm looking towards Oout 1.0 and I don't feel comfortable, I think I'm getting stuck in this, there are other things that need to be finished, maybe I'm too bothered?
Once again no experience in all this, google my experience.
But I have an idea. So in general terms.
Application on ionic 2.
How to do this damn check?
Due to time pressure, I rush at things impudently, everything falls out of my hands.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

V

Vyacheslav Zolotov, 2016-12-12
@icefog2016

It is common practice to pass a token to the client after authenticating with the server, which is sent to the server with each client request. This token is used for verification. You can not use oauth for your applications, it's still more for third-party ones.
PS Look towards api vkontakte and facebook

L

Leonid Fedotov, 2016-12-12
@iLeonidze

Store the login and password hash in the client a la md5($login."_".$password), then pass this hash to the server on every HTTPS connection with explicit certificate verification. Before performing any operations, check the user's hash in the database (you already put the saved hash value directly in the database) and that's it, that's all the magic. Actually, for example, if we consider how web authorization works, then when entering a log / pass, the server gives the client cookies, which in turn the client constantly sends to the server. You don't need it, your application logic is much simpler, so use it :)

X

xmoonlight, 2017-02-04
@xmoonlight

SKEY (password hash) - stored on the client and on the server.
It is generated once during registration (for example, sent by e-mail) and is never transmitted over the network in the future.
1. The server sends its random to the client (random string): SERVER_RANDOM
2. The client generates its random CLIENT_RANDOM and calculates CLIENT_HASH: HASH(SKEY+SERVER_RANDOM+CLIENT_RANDOM).
3. The server receives the final CLIENT_HASH and CLIENT_RANDOM from the client.
4. Then, the server checks the CLIENT_HASH received from the client and the HASH calculated by itself:

CLIENT_HASH===HASH(SKEY+SERVER_RANDOM+CLIENT_RANDOM)

,
5. If identical, then the user is successfully authorized.