Problems with tokens saved in session?

Question

Problems with tokens saved in session?

Navigation

#1 by (1 votes)

0

I'm developing an application in php and in the authentication part I have the following code:

    public function chamaApi(){
        // chamada na api via curl  
        $profile = json_decode($response);

        if($profile->error != true){
           self::openSession($profile->data->api_key);
        }
    }

$profile gets the result returned by API , (login user id, api access token, name and email).

public function openSession($profile){
   $_SESSION['profile'] = $profile;
}

My question is whether there is any problem in managing session using token access API (unique for each user). And if there is a problem, what would be the best way to manage the session for application security?

PS: I do not use framework!

php token session

asked by anonymous 18.10.2015 / 03:00

1 answer

Empty drawable folder Android Studio - None of the resolution options appear How to display Radio Button type fields in form using Django?

score 1 · Accepted Answer

Dude, if the token value is not visible in the cookie, then no problem. Because this value is saved on the server side, the user does not have access and therefore is not a problem.

In the default authentication mode, we usually place the userid directly inside the session, it alone is able to give access to whatever that particular user can do.

The same thing happens with this token, the difference is that instead of an id, you are using a random string that connects to the API.

The most important thing is that you are working on this session management as safely as possible, avoiding session hijacking , etc. Because that can be a problem.

In a very common way, an extension can take the value of the cookie and pass it to another user, and he can set the cookie directly on the site and have access to what the user was accessing from another machine.

If you're working with Composer in your application, I recommend you learn about the HttpFoundation Symfony. It has several utilities to handle requests, etc, but what I see as fucking harder in it is session management. It is the same used in the Framework itself and is very safe and simple to use.

PS: You do not need to use the entire framework to use this component.