Rest API and Sessions, how does Login work?


I've always worked with PHP / MySQL and Javascript / jQuery. I've always connected PHP with the database directly, and I use sessions to log in.

I'm currently working on a project where I use AngularJS for the frontend and PHP / MySQL for the backend as a kind of API to feed the main application with database data. But as I explained earlier, I have always used sessions to handle the login, my question is: What is the best option to make this login and keep logged in? Should I always send the user data and password to API? To remain authenticated? Should I use some kind of token with expiration time? But in the case of a browser (web application) where would I store this token? So I still would use sessions?

Anyway, I do not know if I said something silly, if so, please correct me.

asked by anonymous 08.12.2015 / 21:32

1 answer


The idea is to build a RestAPI, it is stateless (it does not keep the state). Each user asks for RestApi a token , with that token he accesses the endpoints he needs to consult.

To do this, you create a user registry for the applications that will use your API. You give the client a client_secret and client_id for each application.

With cliente_secret and client_id , the user can call an endpoint that will validate the information and return the token for each request.

Adapting to your case, imagine that every Angular AJAX call (or $http , which uses AJAX background) you pass the token along with the call, internally you validate the Token and allow access.

For each token, you can create functions or ( roles ), ensuring public and partial access to your API. Or allow applications to have a token for less or longer.

A personal suggestion, consider leaving some endpoints of your public API, sometimes your information can help others create more things on top of your API, which may end up bringing more value to its content. And depending on the access you can even charge for it.

This is the short form that you work with a RestAPI and oAuth, a careful look at the specifications and also the operation of other APIs, it helps a lot in understanding the subject.

Here are some I particularly like to look at.





09.12.2015 / 12:49