Reputation: 4604
Token authentication using PHP for mobile devices
I'm writing an iPhone app to be the mobile version of my website.
I intend to expose some REST API so the app can update the user's data.
I do not wish the user to login every time, but I want to save his token/cookie and reuse it for all future requests.
I can setup a random token and pass it along with the user ID, but it's not very secure since it's easy to access it on a jailbroken device. I cannot restrict it using an IP, since the IP will probably change frequently (since it's a mobile device).
What's the best way to implement such an authentication which will be secure enough but won't annoy the user by asking him to authenticate himself often?
Upvotes: 5
Views: 2919
Answers (1)
Reputation: 106
send the UDID or mac address with the initial login details to your server. create a unique token for this user/UDID (or mac) combination and send it back(encrypted) to the device if username/pass is successful. on subsequent access, the device sends the encrypted token and UDID/mac (over secure connection) for re-authentication.
if you want to put paranoid people at ease about tracking UDID, you could instead use the UDID/mac to salt the encrypted token, but this wont be as secure, but should do the job still.
Upvotes: 6
Related Questions
- REST API Authorization & Authentication (web + mobile)
- Token authentication with PHP REST client
- OAuth 2.0 for API server and mobile application
- Laravel RESTful API authentication for mobile app
- token based authentication in php
- Authenticate a mobile app on the server side
- PHP REST API - Authenticate
- PHP - RESTful API for mobiles with authentication
- iPhone Webservice authentication and access token
- Mobile Web Service Authentication