I find web security to be a very interesting subject and I am trying to learn how to make API's and RESTful Web Services. I was reading this answer and just has some questions to the process described in Way-2. I understand the gist of Way-2, but I start having questions at Step 4.
First let's describe the token variable.
$token = '123';
$tokenHashed = 'abc';
$tokenEncrypted = 'xyz';
At Step 4 we have verified the user, and now it is time to create a token and associate it with that user in the database as well as send it to the client. Here are questions I have about that process:
- The token we store in the database, is it "hashed(abc)", "encrypted(xyz)", or "neither(123)"?
- When we send it to the client, do we sent it "hashed(abc)", "encrypted(xyz)", or "neither(123)"?
- Where is this token stored on a client machine? I am using PHP so would it be in a $['SESSION'] or $['COOKIE'] variable? Does it matter? Which one and why?
I think that covers everything under Step 4, so let's move on the Step 5. One thing that concerns me about Step 5 is that it says, "The caller then sends this auth token..." I've read that you NEVER transmit the token, so here come some more questions (assume the client has the token stored in whatever fashion answer 2 above states):
Does the client send the token "hashed(abc)", "encrypted(xyz)", or "neither(123)"?
If they are just sending it back how we sent it to them, then what is the point? If someone hijacks the token in whatever form we sent it, won't it always match how we stored it? For example, I send USER X a random hashed string(abc). USER Y intercepts it and sends me (abc). My DB says 'abc', security fail.
I will probably keep developing/adding questions as answers come in. Thank you for your help!
