0

I am trying to implement a thing like OAuth in PHP and what I want to do is give tokens to users so they can use their private resources. Every user first must login with their email and password and get a unique token which would be valid forever unless it's idle for "n" minutes. So if there are zero requests for "n" minutes, the token should be destroyed. The token would be used to access private resources by users.

One thing I can think of doing this is as...

I would maintain a db table of named user_tokens and as they login with their username and password the entry with unique token would be created there. The last accessed timestamp would be set and user would given the unique token as response. The token now can be used to access private resources of user and would be required to pass with all request requiring token. Every private request would check if the last timestamp and current timestamp has "n" minutes of difference, if yes, destroy token. Otherwise send response with requested resources and set last timestamp to current timestamp.

Does that make sense? Or there can be another efficient way of doing this?

I would like to add that the token must be like what twitter or facebook returns out of their API.

Umair A.
  • 6,690
  • 20
  • 83
  • 130
  • Why are you trying to reinvent the wheel, and where doesn't OAuth suit your needs? – Grad van Horck Dec 15 '11 at 14:47
  • I have never used OAuth but have just read about it. That's the only reason. I want this things done soon with already known concepts I have. – Umair A. Dec 15 '11 at 14:50
  • I'd really go for implementing a php oauth library (like php-oauth, or the PHP extension). When dealing with security it's a very good practice to use existing, well thought out standards, rather then implement you're own. The chance that you make a little cryptography bug is much bigger than with using a proven standard. Plus, as a bonus, writing clients is more easier, you can also reuse OAuth clients, and other developers don't need special documentation to talk to your service. – Grad van Horck Dec 15 '11 at 15:07
  • The one other difference I can see is. The user would pass email and password to the API to get token. In OAuth it redirects user to the website page where they ask for it and redirect back to returnURL. right? – Umair A. Dec 15 '11 at 15:09
  • The whole redirection thing in the OAuth flow is optional, and is used to enhance to user experience (see applications like twitter). There is no reason that you can't display the user's access_token when viewing it's profile page on your website. (In fact, this is also what twitter does, when you view one of your apps in your developer dashboard). – Grad van Horck Dec 15 '11 at 15:40
  • What OAuth API for PHP do you prefer which is quick to learn and easy to implement and secure as best? – Umair A. Dec 15 '11 at 16:06

2 Answers2

0

I'm using session_regenerate_id to generate the token, before I was using session_id but I had figure out that using session_id the sessID was never change the value, then regenerating it was a solution that fits to me.

Now I can even control if there are the same user but with the different sessID and give the option to LogOut the sessions of one user.

I do not know if it is exactly what you are looking for, but it solve my problem about TOKEN. And it will never repeat.

Reference: https://www.php.net/manual/en/function.session-regenerate-id.php

nyedidikeke
  • 6,899
  • 7
  • 44
  • 59
devasia2112
  • 5,844
  • 6
  • 36
  • 56
0

If you're looking to implement OAuth using a library you should check out the HTTP_OAuth pear package by Jeff Hodson of Digg[1], and there are a bunch of good posts on this site about database design to use with Oauth[2].

I think I'm confused about your question, though. Are you looking to make an API for your web application, or just provide a way to protect a user's resources? If you want to make an API, you should definitely use OAuth and also use a well known library. Doing so will ensure that:

  1. Other developers will know how to use your API because it follows the OAuth RFC[3]
  2. Your web application is much more likely to be secure
  3. You become aware of best practices and learn some new stuff

If you aren't looking to make an API, and just want to protect user resources, I think you would be safe using sessions[4], and, if the user is not logged in they can't access the protected resources.

[1] HTTP_OAuth Package : http://pear.php.net/pepr/pepr-proposal-show.php?id=607
[2] Oauth Database Design : what is the recommended database structure for OAuth Provider
[3] Oauth RFC : http://oauth.net/
[4] PHP Sessions : http://us2.php.net/manual/en/features.sessions.php

Community
  • 1
  • 1
Steve
  • 1,112
  • 8
  • 12
  • what if I think I should implement OAuth but without the library? – Umair A. Dec 16 '11 at 12:23
  • If you have enough time and really want to learn the intricacies of the spec, then I say go for it! It will likely take a really good chunk of time to do, though, because of how detailed the spec is with the workflow, generating signatures, and handling requests. You could always use the library as a reference, but also take into consideration that the library has been used by a bunch of people already, so it's really stable. – Steve Dec 16 '11 at 15:14