I'm trying to wrap my brain around authentication on REST API.
I tried to come up with a way to successfully authenticate users, keeping in mind that users can access all the data on the client, and I came up with this idea.
Client sends username and password to the server
Server checks if they match a user.
If it does, we create a hashed string with user_id+e-mail+currentTime+salt
and stores this in a database-table with an expiration date.
Server returns hashed string to client
Client sends random request to server including key
Server checks if key is correct and if it expired
This is the right way to do this, and do you see any security flaws?
source
share