0

I am working on an authentication library for my website, and I want to use a token based authentication system, but I don't have a clue how to generate a secure session token so that I could identify users. Does anyone have any resources that would point me in the right direction?

kristianp
  • 5,496
  • 37
  • 56
Alex Justi
  • 167
  • 4
  • 13

1 Answers1

1

A random authentication token could be enough depending on the kind of architecture you have.

Or you could use GUIDs, ... There are a lot of possibilities, here is one:

When the user authenticates, generate a random token, add it into a cookie on the user system and into the database. When the user comes back, the unique random token is searched in the database so you can establish the link between the random token and the user. Tada !

achedeuzot
  • 4,164
  • 4
  • 41
  • 56
  • the way u guide to generate token that is very similar like form auth in asp.net. if token is added in cookie and sent to user pc then it will be vulnerable to XSS attacks. – Mou May 13 '15 at 10:36
  • @Mou There's a possibility of adding HTTPOnly Cookie. And use https/SSL... Anyway, 99% of websites, even big ones, use a random token inside a cookie for the session. Even Facebook does this. So this method of generating secure tokens is not more nor less prone to XSS attacks than any other. – achedeuzot May 13 '15 at 12:01
  • i believe every one generate token randomly. HTTPOnly Cookie is bit secure because people can not read it by js but not bullet proof i guess. – Mou May 13 '15 at 12:08
  • just tell me what is the main difference between form auth and token based auth. in case of form auth a token was generated server side and saved in client pc and in token case then token is sent to client side. if people like to persist token then they have to store it in cookie. so where is the main difference between form auth and token based auth. – Mou May 13 '15 at 12:10
  • @Mou I'm not sure I get your question (by the way, new questions shouldn't be asked in the comments but in a separate thread) but you start by form auth with a login & password which, after validation, then gives you the random auth token for all following requests. If you need more details, please ask your own separate question. – achedeuzot May 13 '15 at 12:51