Reputation: 703
Generating secure tokens for server requests with username and generation time in it
I want to generate a security token for my server. A user gets a token if login was successfull, and have to send it with every server request, instead of the password. A token expires after some hours and the user have to login again.
I thought of several methodes for token creation. I want that the username and the time the token was made is part of it. The first idea I had was:
username+;+servertime+;+random bytes
I will always use thatmuch random bytes that the hole strings length is 64 chars. The next step would be to encrypt it (I thought of AES256). But since the username is allways part of the token, it is easyer to hackers to get the encryption key or? Is it a bad idea to put the username in the token?
So I thought of chaning the key once of 24h, and if the user sends an old token I cant retrive his name and the system time so I know the token is old.
How to "professional" tokens work? Am I missunderstanding the idea of a token?
Upvotes: 0
Views: 101
Answers (1)
Reputation: 2625
What you have described is called a SESSION. They are neat things. You can start a session every page then track a variable in your session storage to ensure that its valid by storing a randomly generated token in a databaase table. After every login, update the database token, this invalidates all other tokens for that user.
http://php.net/manual/en/features.sessions.php
Upvotes: 1
Related Questions
- Generating cryptographically secure tokens
- Creating access token by encrypting user's id + time as JSON
- best practice to generate random token for forgot password
- Generate cryptographically secure tokens with built-in expiration period
- generate php access token
- Script to generate unique token
- One-time login tokens for third-party access to a resource
- php generate token synchronized based on time stamp
- PHP token security
- How to make a well-formed request token?