I would like to know if the implementation that I am using to login in my website by token is secure.
Implementation in php:
We have a table with a token by every user that we want to be able to login by token. This token is generated by the php function: bin2hex(random_bytes(32)) and bcrypted and then stored in the table of tokens, using always the same salt.
The token generated before the encryption is sent by email to the user with the whole url, for example: https://example.com/login-token.php?token=aa11aa11aa11aa11aa11aa11aa11aa11
Then when the user tries to login via the url, we bcrypt the token (with the same salt) and search for that one in the database. If it exists, we validate the user and delete the token from the table.
Is it secure enought?
