![]() I'm using PHP, and MySQL, on apache2 webserver. This way, a user can access/change only that data which is related to his userid, and not other user's ids.ĭo you guys think this is enough? Or are there flaws to this method? Examples include a wireless keycard opening a locked door, or in the case of a customer trying to access their bank account online, the use of a bank-provided token can prove that the. The token is used in addition to or in place of a password.It acts like an electronic key to access something. UPDATE : My token mechanism is as follows :ġ)Generate 2 random tokens : token1 and token2.Ģ)Generate a hash like this : token1+userid+SALTĤ)Send token1, token2, and the new hash (i call it id_hash)Ģ)If token2 does not match with that from database, return FALSE.Ĥ)Hash it in the following order : token1(received) + userid (session) + SALTĥ) Verify the newly verified hash with the id_hash received.Ħ) If matches, return TRUE, else return FALSE. A security token is a peripheral device used to gain access to an electronically restricted resource. But still, even one request can be highly dangerous. What do you guys think will be the method to dispose of the token if the request was aborted after token being issued?Īlso, even if the clients gains access to a token, he can make only one request before the token is flagged invalid. This is working exactly like it should, but if someone makes a request, and aborts it as soon as the token has been received on client side, then the active token will still be in database, and can be used maliciously by a hacker.Īlthough I delete the tokens from database in verifyToken step, but if the token hasn't reached it, it will still be usable. I have implemented a security system in a project I'm working on, as follows (please tell me if something is unclear in the diagram, its simple though) ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |