I'm developing an application where the user can login by providing their email and password. After that, I make a request to my server PHP
that checks in the database if the data exists and are correct (if yes, returns a status = true
and some more data, otherwise, returns status = false
). / p>
It turns out that I want the user not to have to log in every time they open the app, but what is the best way to do this?
I know I should not save the email and password through Ionic Storage (I use only for non-sensitive data, such as: name, surname, photo, etc). I also took a look at Secure Storage (to store sensitive data, only), however, it does require that the user has a certain level of security on your device (lock screen password) to work, and this is not feasible for my app. (not all use passwords on the lock screen)
From my research, I saw that most of the recommendations would be, upon login, the PHP
server will generate an access token, store it in the database (linking the token to the user), return it to the app and save it to Ionic Storage
, and then, every time the app is opened, send that token through the request and check in the database if it exists and is valid.
Faced with this, I thought of the following:
Save the user id (I'll use it in almost all actions in my app) and the token in Ionic Storage
, then, at the time of authentication, verify that the token exists for the given id, because this discards the possibility of some malicious user accessing the app's storage, simply changing the id and passing the user corresponding to the given id, because in addition to the id, it would have to get the token generated for that user.
Is this a secure way to authenticate? If not, how to do it?