We have a website: (for example) site.com. We have site.com/auth.php in which we get Login /Pass using the GET /POST method.

site.com will turn to its API by JS /Angular 2, i.e. The same authorization will occur through the appeal of http angular`a on the URL site.com/auth.php. I also want to make an Android app for site.com. Android application refers to the url site.com/auth.php and passes authorization.

Question: How to implement it right and safely? I do not understand this, at the moment found the following information. On the server generate a SESSID, which then transmit together with each request. Those. The server no longer transmits in the sessid headlines. And only on the API request in response in JSON for example. On the Angular website will record SESSID in cookies, android stored at home. How and where to store these sessid on the server? Something read about Redis, but did not quite understand whether he enters PHP or it is necessary to put it separately, if separately, then Redis can not be on each virtual hosting?

p.s. There are many questions, because I understand a little how to solve the problem. As you understand, there will be less questions. I am waiting for both answers and criticism, edits and references to useful resources. Thank you for attention!

After a successful login, the server generates a hash, which gives back. After that, the provision of such a hash is equal to successful authorization, but it is necessary to take into account the maximum lifetime of such a hash. The browser can store this hash in cookies or in Local Storage, and the mobile application is in Preferences.

Александр Гаврилюк2021-05-22 02:06:21