I'm building an application that doesn't need a login page because the server already asks for an sso and a password when accessing to any app in the server. The problem is that i need to save the user session but the sso api only gives me the ID of the user, so i was wondering how do i do that in Laravel 7?
I was thinking on a route /login/{id} that generates a token and saves it in the browser session and the database, and in every request the system verifies if the token is the same. I don't know if there is a better way to save a session without password, and how to do it in php using Laravel methods.
Thank you.
Related
I am writing backend for a mobile app where the login info (user), details of the app and everything used in the mobile app will be on the server side.
That's how I have written the app flow:
The created users are saved on the server side via registration API
The newly created users send credentials and after authentication, I generate a dynamic token which is shared with the user for rest of the API calls
For every other call that a user makes, the token is authenticated and then the response is generated.
Each login generates a new token so at a time the same user won't be able to use the same account on 2 different mobiles. Since on valid login, a new token will be generated for API usage.
Whole of the communication takes place over SSL so everything is already encrypted. I want to know the security threats that would be saved by OUATH 2 in this scenario.
P.S Please write your thoughts in comments if you down-vote this question. Will highly appreciate it.
I am developing a web application in Laravel. Now I'm in the process of creating an android app. I need to create a web service (back end) in Laravel, but I don't know how to manage the sessions (auth) in the request.
My idea is to create a unique token for every session, and store it in a database. So, every request need the token be included, and my backend will check if the token is valid or not.
How can I modify the login functionality that comes with Laravel 5.0 to create an return the token?
I read the documentation and some articles in the internet, but it is still not clear to me.
You can create a token during registration of the app which should correspond with the user id. This token will be used together with the user id anytime you call any of your api's to authenticate the user.
You can create a filter named custom_authentication and check for the token validity inside that filter. Now just apply this filter before every routes, which you want to be authenticated.
Using only simple authentication token is not very secure, you need to go with HTTPS always.
If you want to make the API secure with HTTP, you might have to implement OAuth with the help of packages like this.
I am developing an android application in which users need to register and log in using Facebook.
Approximately, this would be the flow.
Open the app for the first time, authenticate with Facebook, get their data, send the data to my server to create them an account in my application, start session with their new account in my server, get a cookie to perform later interactions.
So far so good.
What I need to know is wich data i have to send to my server, so i can be able to identify the users when they log in for the seccond time.
This is because i need to start session in my server and send a cookie to the android app to do the further interactions. I'm using PHP as server side language.
I was thinking about getting the getAccessToken() in the android facebook sdk, then pass it to my server on the account creation and storing it in my android app.
But i can't manage how to do it to login the users on the second time they use the app.
Any suggestions ? Thanks in advance !
To uniquely identify the user within your app, you should make a request to /me and get the user's id. This is guaranteed to be unique and remain constant for your user/app combination.
The access token is not guaranteed to remain constant.
I'm trying to create an authentified API system using Symfony2.
So far, I created several Entities (Database tables) and I am able to authenticate an user by using nickname and a password.
Symfony2 Auth System, returns a cookie with a typical PHPSESSID. With this cookie, I can check which user is logged and give information related with that user.
However, I've the following problems:
I don't know how can I login using POST sending user and password as params to Symfony Auth System.
I don't really know if I can store a cookie (even retrieve it) in Android ( NOTE I'm using AndroidAnnotations. https://github.com/excilys/androidannotations/wiki )
The last time I did an authentified API, I had to send user and password for every request. Maybe this is kinda OK? If it's, I'd love keep using this system. Otherwise I look for a new one.
Notes
I'm in an openmind situation ATM. I'd like to use Twitter / FB authentication in a near future. Maybe using those systems leads to a simplier login system.
Feel free to give any tips / implementations!
Thanks.
from the docs:
You should now store the access token in a database. Associate it with
the user it belongs to and use it from now on instead of sending the
user through the authorization flow.
On the front-end, we are using the javascript connect function, but then we want the PHP side to write some user info to the db.
I understand how to actually receive the authorization/token and it is implemented. Then I store the token in the user database next to the user's ID (that we generate). That's all fine.
But when the user re-visits our application and is logged into Soundcloud, What do I do with this token? As stated above, I should automatically log them in? What exactly is the process here? I am confused about what I have to check against.