Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>Well, I would highly suggest <strong>not</strong> sending the username / password across plain text under any circumstance (even when under SSL). Instead, I'd suggest using a Digest form of authentication.</p> <p>Instead, I would suggest generating a large authentication token (a random string of large size, 128 characters would work). Then, the users would install this "token" in their app.</p> <p>Now, when the app checks for updates, it first fires a request to your server asking for a digest token. This is a random, one time use token that's only used for exactly one request. Your application should generate a token, store it in a durable format (file, memory, database, etc) along with the timestamp, and then send it back.</p> <p>Now, your application receives this digest token (called <code>$dt</code> here). Then, you hmac it with the pre-configured authentication token that was already given.</p> <pre><code>$authBit = $username . ':' . $authToken; $hash = hash_hmac('sha256', $authBit, $digestToken); $authField = $username . ':' . $hash . ':' . $digestToken; </code></pre> <p>Then, you send the <code>$authField</code> to the server. The server will then split the parts:</p> <pre><code>list ($user, $hash, $digestToken) = explode(':', $authField); </code></pre> <p>Now, you first lookup the user's authentication token in the database and store it in <code>$authToken</code>. Then, you lookup the <code>$digestToken</code> to make sure that it exists and that it was created less than 60 seconds ago (you can adjust this if it's too short, but don't make it significantly longer). Either way, delete it from the db at this point (to prevent it from being reused).</p> <p>Now, if the <code>$digestToken</code> exists and is valid, and you can find a <code>$authToken</code>, then just do the following check:</p> <pre><code>$stub = $user . ':' . $authToken; if ($hash == hash_hmac('sha256', $stub, $digestToken)) { //valid user } else { //Not valid } </code></pre> <p>It has the benefit of changing the sent token each and ever single http request (anyone reading the request stream won't be able to get any sensitive information from the request, other than the username which you could mask further if you'd like)...</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload