Reputation: 1100
PHP REST API - Authenticate
I'm sorry to put another REST Authenticate question on the website but I really need to get a complete answer. I have a REST API in which I try to log in a single page website (through jquery).
I want to create a token based authentication, but there is some step I still can't understand.
At first, do I have to make a normal authentication to get and store in db the user login/password ? Do I have to use the user session to store the token ? Does someone have an exemple of php code that I can use ?
source :
- PHP rest API authentication
- http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
----------- EDIT ---------------
Ok, I have some news to add.
- First, Yes I have to make a normal authentification by sending the pair login, sha1(login+passwd)
- After, No, never use the session like a secure way to store data, the login and sha1(login+passwd) will be store in database or in a application scope storing solution, like an haspmap.
- But I still need you if you have a piece of php code. It's the reason why I put my answer as an edit.
Upvotes: 3
Views: 2371
Answers (1)
Reputation: 1100
Oh, I just see the badge "no view and no answer for a long time" and it bring me back here. I've finally found the answer :
The register is something you do only one time so you can send the hash key without a really good protection. (I mean against sniffing).
So here is the scenario to register :
- Client enter login and password
- Client sends login, hash (sha256(login + password))
- The server store this pair in database (you can cache it in hashmap to increase speed)
Now for the login
- Client : ask for a session salt throught a rest service or hidden field in html page.
- Server : generate the salt from datetime and random and store in session
- Client enter the login and password
- Client javascript hash sha256(sha256(login + password) + salt) and store the pair (login, hash) in the localstorage (html5, be carefull to modernizer or other stuff like this, this pair need to stay private)
- Server check if (sha256(stored_hash_for_login + salt_in_session) == hash received)
- Server : if it's ok store the token shared with the Client
- Client logged in
Now Everytime the client want to make a authenticate request, he will use the following method :
- get the pair (login, token) from localstorage
- generate a hash of is request like this :
- hash_request = sha256(login + sha256(token + timestamp) + sha256(token + paramA) + ...)
- The param need to be in alphabetic order.
The Server receive the request (login, timestamp, params, hash_request), check if the timestamp is not too old and do the generate the hash_request from the token in hashmap for the login and check if it the same. In this way, you avoid the replay (timestamp) and the clear password.
Upvotes: 4
Related Questions
- Token authentication with PHP REST client
- How to Authenticate an API in PHP?
- token based authentication in php
- Validating tokens in REST api
- PHP Rest API Call with Authorization
- Token Authentication for Rest API
- PHP rest API authentication
- PHP RESTful API to accept authentification
- How do I handle authorization to an API written in PHP
- PHP: call to a REST api