0

I have to implement a token based authentication.

Users have a username and a password. I use the SHA512 method to encrypt the password before inserting it into the database. For retrieving data from the server, making queries and other simple actions, I need to know who is asking for the data and if this person is authenticated. I want to use a token. During the registration the server creates a token for the user and saves it in the Person table into the database, with username and encrypted password. Now, when a user wants to get some data from the server, he can use the token.

Is there a way in which the server can understand who the user is using token, or do I need to pass the username too? How can I know when the token expires without adding a field in the Person table?

I'm not sure I have understand the proper use of a token, and I have no idea on how implement it. I use php for implementing communications between the server/database and an Android application.

rasmeta
  • 437
  • 2
  • 11
Michele Benolli
  • 53
  • 10
  • SHA512 hashing is not secure enough to store passwords. You need to use Bcrypt or PHP's `password_hash()` method. – Styphon Apr 22 '15 at 14:03
  • possible duplicate of [The definitive guide to form based website authentication](http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication) – yergo Apr 22 '15 at 14:07

1 Answers1

0

As you said, it's better to provide username and token each time you send request to the backend. So you can know if the token is expired or not. Also this let your service/backend support HTTP Basic authentication which requires a caller to set a specific header contains username:password encoded using base64.

sudanix
  • 465
  • 3
  • 8