0

I am working on a permission system. In each page it will need to check whether if the user's token is correct.

I have two choices, store token in a session variable or query the database to check the token every time before allowing the user to use the service.

If I store in a session variable if the session is expired I query the database to check if the token exists and recreate the session.

Which is faster or better?

It's for android and website permission system by an REST API.

Krzysztof Atłasik
  • 21,985
  • 6
  • 54
  • 76
gulver
  • 11
  • 5
  • 1
    In general I (personally) expect REST APIs to be stateless, not using a session at all. – Jonnix Jun 12 '19 at 11:40
  • I have a service which take login and password, and return a token which is stored on the application. After I have another service to get articles if the user was logged then he sent his token and if it's valid the response is a json Object with articles. Then you think is better to query the database each time an user would get articles ? Because in this way a must do 2 request the first to compare token, the second to get articles. – gulver Jun 12 '19 at 11:42
  • 1
    Depends what you're using for the token. JWTs for example could have everything you need for authorisation without having to query the DB. – Jonnix Jun 12 '19 at 11:52
  • I use a custom token, how JWTs can check the token without having to query the DB ? Because I can't use JWT. – gulver Jun 12 '19 at 12:04
  • 1
    A JWT doesn't check the token, it _is_ the token. It contains the claims of the user built into it, so there isn't any need to have a separate data store to hold extra information of that type – ADyson Jun 12 '19 at 12:10
  • You can google JWTs at your own leisure, it's too much for SO comments, especially if you can't use them anyway. Assuming your tokens are just random strings, yes, you'd check the permissions available against that token from the DB. – Jonnix Jun 12 '19 at 12:12
  • The problem : the token system is already implemented with a type of random strings, the permissions has 2 state : disconnected-logged Sorry but for this project it's a problem to implement JWTs. An example : If you see Facebook or other big site which doesn't use JWT, they use random token, how they check users permissions ? – gulver Jun 12 '19 at 12:23
  • they probably use a similar type of format which also contains claims. The exact format isn't the point, it's the concept of including that information within the token itself. Basically your "token" right now only contains one claim - "logged in" (or not). You need to include some more info about the user so that you can use it to decide who the user is and what they ought to be allowed to do, based on their attributes. The other thing you then need of course is some mapping between what claims a user has and what features of your specific application that will allow them to use. – ADyson Jun 12 '19 at 12:40
  • People only mention JWT because it's a standardised format and you'll find there are tools and libraries in place which can help you start generating and using them quickly, and there is wide compatibility with other SSO systems. It's not essential to use them (or any other commonly-known format), it just might be a good way to get started, and to be able to use the knowledge and expertise of others. Making your own authentication and authorisation system is not easy to get right. There are many mistakes you can make. But you can of course make your own version if you prefer. – ADyson Jun 12 '19 at 12:43
  • You might want to read about claims based identity concepts in general, so you can understand what your goal ought to be. You could start with https://en.wikipedia.org/wiki/Claims-based_identity , and you can find much more information online – ADyson Jun 12 '19 at 12:46
  • JWT have some security fault no ? I doesn't use framework, I code services in pure PHP and I haven't found a tutorial to implement JWT in this way. I need a logging system which is fast and not use lot of server ressources. – gulver Jun 12 '19 at 13:34
  • "JWT have some security fault"....do you have some evidence about that? Probably any bug would be in the implementation of the code which makes use of the token. A token itself is just some text and can't inherently contain a bug. – ADyson Jun 12 '19 at 14:23
  • Anyway no-one said anything about using a framework. What I said was you can perhaps use some existing code and add it to your application in order to help you generate and handle your tokens. That doesn't require any specific "framework" necessarily, you can integrate it into any application. google "php jwt" and you'll see. As for logging, how is that relevant to a discussion of security tokens? Did you mean "login" rather than "logging"? There's nothing inherently slow about access tokens. In fact if it reduces the number of calls to your database, that might be quite helpful. – ADyson Jun 12 '19 at 14:26
  • Yes I speak about login, sorry, I heard JWT have problem with signature ??, So you think I must use JWT or other system with claim for my authentication system ? – gulver Jun 12 '19 at 16:56
  • "I heard JWT have problem with signature"...from where? What's your source? What's your evidence? I'm not going to discuss a random abstract assertion you've made, unless you can back it up with a reputable source. – ADyson Jun 13 '19 at 13:42
  • Anyway yes I think it would be a good idea to use an established token format such as JWT, because then you benefit from all the work previously done, code libraries, community support etc which are available when you do that. But it's up to you. – ADyson Jun 13 '19 at 13:43
  • Yesterday I tell "problem with signature", I've found that concern library with "none" algorithm see : [link](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/) But it's true if we use a good library it's secure. – gulver Jun 13 '19 at 18:32
  • With your help, I will turn to this system. I have a last question, the data that I want to send to my user I can put them in the token regardless of their size? For example the list of all the messages he has sent. – gulver Jun 13 '19 at 18:35
  • That's not the kind of thing you put in a token. That's application data. The token contains attributes of the user e.g. name, department, region, age, or whatever else you store about them which you might use to determine their role in the application – ADyson Jun 14 '19 at 05:54
  • These attributes are called "claims". Maybe read this https://stackoverflow.com/questions/22814023/role-based-access-control-rbac-vs-claims-based-access-control-cbac-in-asp-n, it might help you understand what claims based authorisation is – ADyson Jun 14 '19 at 06:03
  • I would send a json object in which there is my JWT token and other application data: for example: {token: JWTtoken, data: mydata} – gulver Jun 14 '19 at 11:42
  • Normally if you're sending a HTTP request containing application data, the data goes in the body of the request and the token is passed in an Authorization header. That's how everyone else does it. – ADyson Jun 16 '19 at 21:40

0 Answers0