P token based authentication?

A

alek05852014-05-01 21:42:28

MySQL

alek0585, 2014-05-01 21:42:28

How does this logic work?
Let's say that I use only mysql. I create two tables, users and tokens We
authorize the user - I add one record with the user id and the token itself to tokens, let's say md5 (timestamp + login + salt).
When authenticating, I look to see if there is such a token among the tokens and use it to get the user id.
Logout - deleting a token.
And what if there is no logout? How to track the case when the token is obsolete and it's time to delete it (for example, 1 week) I
remind you of the question "WHAT TO DO WITH OLD TOKENS"
ANSWER
or this

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

R

r0xer, 2014-05-01
@r0xer

You can define the maximum lifetime of the token. And at the time of user activity, this is the time to update. In general, token-based authorization is usually done to access a closed system without entering a login / password. A typical example is some external application that wants to use your access to the system, but it is not safe to pass l/p to this application.

N

Nazar Mokrinsky, 2014-05-02
@nazarpc

What prevents storing the expiration date with the token?
In general, read, for example, the OAuth2 specification - all the points related to obtaining and processing tokens are very clearly described there, it is better to use just such a generally accepted and very good approach.