current community

your communities

more stack exchange communities

Stack Exchange
tour help
stack overflow careers
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 1 down vote favorite

I'm sorry to put another REST Authenticate question on the website but I really need to get a complete answer. I have a REST API in which I try to log in a single page website (through jquery).

I want to create a token based authentication, but there is some step I still can't understand.

At first, do I have to make a normal authentication to get and store in db the user login/password ? Do I have to use the user session to store the token ? Does someone have an exemple of php code that I can use ?

source :

----------- EDIT ---------------

Ok, I have some news to add.

  • First, Yes I have to make a normal authentification by sending the pair login, sha1(login+passwd)
  • After, No, never use the session like a secure way to store data, the login and sha1(login+passwd) will be store in database or in a application scope storing solution, like an haspmap.
  • But I still need you if you have a piece of php code. It's the reason why I put my answer as an edit.
share|improve this question

1 Answer 1

up vote 2 down vote accepted

Oh, I just see the badge "no view and no answer for a long time" and it bring me back here. I've finally found the answer :

The register is something you do only one time so you can send the hash key without a really good protection. (I mean against sniffing).

So here is the scenario to register :

  • Client enter login and password
  • Client sends login, hash (sha256(login + password))
  • The server store this pair in database (you can cache it in hashmap to increase speed)

Now for the login

  • Client : ask for a session salt throught a rest service or hidden field in html page.
  • Server : generate the salt from datetime and random and store in session
  • Client enter the login and password
  • Client javascript hash sha256(sha256(login + password) + salt) and store the pair (login, hash) in the localstorage (html5, be carefull to modernizer or other stuff like this, this pair need to stay private)
  • Server check if (sha256(stored_hash_for_login + salt_in_session) == hash received)
  • Server : if it's ok store the token shared with the Client
  • Client logged in

Now Everytime the client want to make a authenticate request, he will use the following method :

  • get the pair (login, token) from localstorage
  • generate a hash of is request like this :
  • hash_request = sha256(login + sha256(token + timestamp) + sha256(token + paramA) + ...)
  • The param need to be in alphabetic order.

The Server receive the request (login, timestamp, params, hash_request), check if the timestamp is not too old and do the generate the hash_request from the token in hashmap for the login and check if it the same. In this way, you avoid the replay (timestamp) and the clear password.

share|improve this answer
    
Thanks for the answer. –  hardik Jul 15 '14 at 10:30

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.