S
S
Stopy2016-04-20 23:54:31
PHP
Stopy, 2016-04-20 23:54:31

Understanding REST?

1.) If the api is used by the same service on which it is located, is it possible to store the user's access_token in cookies to access the rest api? Like there is a regular Web application on the backend, some part of it is restful, there is a clientside that needs to access the rest api by token, because the token needs to be stored somewhere on the client (well, not in RAM, which is down with page reload), and in most cases this is cookies. If the rest api is a third-party server that we access with our monolithic application, then naturally the rest api does not store and should not have any states, but what if the rest api is a separate part of our application? Which, perhaps, in addition to the site, will also serve the mobile application.
2.) If you pass the token in cookies during registration / authorization, then how to avoid logout when logging in from another browser / device, if the token in the user base is overwritten when logging in?
Everyone, in advance, many thanks and low bow :3

Answer the question

In order to leave comments, you need to log in

2 answer(s)
I
Ilya, 2016-04-21
@Stopy

Make a table of tokens with a link to the user or applications. Then you can keep more than one token for each user. I
made an authorization system with something like this table
id
token
type_of_token
user_id
app_id
token was generated from a username with an admixture of a password in order to throw off all tokens when changing the password. type_of_token indicated why the token was generated (for direct communication with the user or with the application), and links to the user in another table and a link to the application, if it was generated for the application.
It is normal to store the token in cookies. The main thing for all important actions is to add it somewhere in the POST form data or in a GET request and then check it on the server for CSRF security.

S
Sergey Savostin, 2016-04-21
@savostin

You can store it wherever you want. "Correct" when cookies are used exclusively by the client.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question