PHP Sessions and Unique User Tokens

Question

I am trying to implement a thing like OAuth in PHP and what I want to do is give tokens to users so they can use their private resources. Every user first must login with their email and password and get a unique token which would be valid forever unless it's idle for "n" minutes. So if there are zero requests for "n" minutes, the token should be destroyed. The token would be used to access private resources by users.

One thing I can think of doing this is as...

I would maintain a db table of named user_tokens and as they login with their username and password the entry with unique token would be created there. The last accessed timestamp would be set and user would given the unique token as response. The token now can be used to access private resources of user and would be required to pass with all request requiring token. Every private request would check if the last timestamp and current timestamp has "n" minutes of difference, if yes, destroy token. Otherwise send response with requested resources and set last timestamp to current timestamp.

Does that make sense? Or there can be another efficient way of doing this?

I would like to add that the token must be like what twitter or facebook returns out of their API.

Answer 1

I'm using session_regenerate_id to generate the token, before I was using session_id but I had figure out that using session_id the sessID was never change the value, then regenerating it was a solution that fits to me.

Now I can even control if there are the same user but with the different sessID and give the option to LogOut the sessions of one user.

I do not know if it is exactly what you are looking for, but it solve my problem about TOKEN. And it will never repeat.

Reference: https://www.php.net/manual/en/function.session-regenerate-id.php

Answer 2

If you're looking to implement OAuth using a library you should check out the HTTP_OAuth pear package by Jeff Hodson of Digg[1], and there are a bunch of good posts on this site about database design to use with Oauth[2].

I think I'm confused about your question, though. Are you looking to make an API for your web application, or just provide a way to protect a user's resources? If you want to make an API, you should definitely use OAuth and also use a well known library. Doing so will ensure that:

1. Other developers will know how to use your API because it follows the OAuth RFC[3]
2. Your web application is much more likely to be secure
3. You become aware of best practices and learn some new stuff

If you aren't looking to make an API, and just want to protect user resources, I think you would be safe using sessions[4], and, if the user is not logged in they can't access the protected resources.

[1] HTTP_OAuth Package : http://pear.php.net/pepr/pepr-proposal-show.php?id=607
[2] Oauth Database Design : what is the recommended database structure for OAuth Provider
[3] Oauth RFC : http://oauth.net/
[4] PHP Sessions : http://us2.php.net/manual/en/features.sessions.php