3

I have read a lot about it but i still don't completely get it.

I may use a library of an existing solution in the future but i want to understand and implement my own system right now.

In order to be stateless and scalable I think i mustn't store user context on server.

The main problem is a conception one, if i understand the system i will succeed to code it

I have tested code found on Internet which i have modified (french website ref : http://blog.nalis.fr/index.php?post/2009/09/28/Securisation-stateless-PHP-avec-un-jeton-de-session-(token)-protection-CSRF-en-PHP). Can you tell me if it's correct or if i don't get it?

So to create a token i use this function which takes as parameters, the user's data

define('SECRET_KEY', "fakesecretkey");

function createToken($data)
{
    /* Create a part of token using secretKey and other stuff */
    $tokenGeneric = SECRET_KEY.$_SERVER["SERVER_NAME"]; // It can be 'stronger' of course

    /* Encoding token */
    $token = hash('sha256', $tokenGeneric.$data);

    return array('token' => $token, 'userData' => $data);
}

So a user can authentified himself and receive an array which contains a token (genericPart + his data, encoded), and hisData not encoded :

function auth($login, $password)
{
    // we check user. For instance, it's ok, and we get his ID and his role.
    $userID = 1;
    $userRole = "admin";

    // Concatenating data with TIME
    $data = time()."_".$userID."-".$userRole;
    $token = createToken($data);
    echo json_encode($token);
}

Then the user can send me his token + his un-encoded data in order to check :

define('VALIDITY_TIME', 3600);

function checkToken($receivedToken, $receivedData)
{
    /* Recreate the generic part of token using secretKey and other stuff */
    $tokenGeneric = SECRET_KEY.$_SERVER["SERVER_NAME"];

    // We create a token which should match
    $token = hash('sha256', $tokenGeneric.$receivedData);   

    // We check if token is ok !
    if ($receivedToken != $token)
    {
        echo 'wrong Token !';
        return false;
    }

    list($tokenDate, $userData) = explode("_", $receivedData);
    // here we compare tokenDate with current time using VALIDITY_TIME to check if the token is expired
    // if token expired we return false

    // otherwise it's ok and we return a new token
    return createToken(time()."#".$userData);   
}

$check = checkToken($_GET['token'], $_GET['data']);
if ($check !== false)
    echo json_encode(array("secureData" => "Oo")); // And we add the new token for the next request

Am I right?

Sorry for this long message and sorry for my english.

Thanks in advance for your help!

Exayy
  • 558
  • 4
  • 10
  • 2
    If the code already works, then the question is not a good fit for SO. If you're concerned about security, try http://security.stackexchange.com/ . If you want someone to review the code, try http://codereview.stackexchange.com/ – laurent Aug 02 '14 at 23:03
  • Hey, have you figured if this is a right way of implementing token based authentication? I can't find any php library that would do it for me and I can't find any examples on php either. – dKab Feb 08 '15 at 06:53

1 Answers1

0

The problem in your code is: You are basing your entire system on $_GET in the original post is based on Cookies.. You should store the token in cookies (based on your original post, instead of using $_GET By the way; a few tweaks:

list($tokenDate, $userData) = array_pad(explode("_", $receivedData));

In the next code I don't see how you use $login,$password

function auth($login, $password)
{
    // we check user. For instance, it's ok, and we get his ID and his role.
    $userID = 1;
        $userRole = "admin";

        // Concatenating data with TIME
        $data = time()."_".$userID."-".$userRole;
        $token = createToken($data);
        echo json_encode($token);
    }
Elias Nicolas
  • 775
  • 13
  • 26