simone bruziches
asked on
Security with Tokens
Hi everyone, I'm creating an android app that allows people to register via FacebookAccountKit.
Facebook account kit gives me a Token when the user has been verified (via SMS).
I can't understand how I can secure registration and user data with the token.
I'll explain :
At the moment, when I need to get user data from the database and show it on the app, I use a hidden field to send the user ID to the PHP file to filter the data.
Many have told me that it is not recommended, they told me to send a Token to the PHP file and then get the user id.
I can't understand a few things:
1) The Token must be associated with the user's ID address, could I save them in the same table or could I do it in another way?
2) When the Token expires what happens? I have to log in the user again and save the new Token on the MySql table.
But to do this I will have to specify that it will be saved in the line where the user ID is the same as the user ID and then send the user ID from the app again.
3) To log in, I request the phone number and the user ID, I will have to send them from the app to the PHP file that checks whether the user exists or not, but so I return to the initial problem, ie send the user's id and the phone number from the app to the PHP file.
Someone could clarify my confusion about this.
Do you recommend a more valid alternative for securing my users' data?
If you have any questions in case I haven't explained myself well, ask me what you want.
Thanks a lot.
Facebook account kit gives me a Token when the user has been verified (via SMS).
I can't understand how I can secure registration and user data with the token.
I'll explain :
At the moment, when I need to get user data from the database and show it on the app, I use a hidden field to send the user ID to the PHP file to filter the data.
Many have told me that it is not recommended, they told me to send a Token to the PHP file and then get the user id.
I can't understand a few things:
1) The Token must be associated with the user's ID address, could I save them in the same table or could I do it in another way?
2) When the Token expires what happens? I have to log in the user again and save the new Token on the MySql table.
But to do this I will have to specify that it will be saved in the line where the user ID is the same as the user ID and then send the user ID from the app again.
3) To log in, I request the phone number and the user ID, I will have to send them from the app to the PHP file that checks whether the user exists or not, but so I return to the initial problem, ie send the user's id and the phone number from the app to the PHP file.
Someone could clarify my confusion about this.
Do you recommend a more valid alternative for securing my users' data?
If you have any questions in case I haven't explained myself well, ask me what you want.
Thanks a lot.
ASKER
Sorry,
Save in the same table against the User's IDyou want to save the Token together in the same table to the user ID?
Means:
User ID Token
1 1
2 2
User ID Token
1 1
2 2
EXPERT CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I marked Scott Fell's answer as a solution, but David Favore's previous answer also helped me a lot, too bad I can't put 2 answers as a solution, both are.
Many thanks to everyone for your help, including Ugra Narayan Pandey.
Many thanks to everyone for your help, including Ugra Narayan Pandey.
You're welcome!
Good luck with your project!
Good luck with your project!
In that table create a rule to update new Token id every time against User's ID
Request only one User ID or Phone number, then send app