Timeline for Verifying user login status
Current License: CC BY-SA 4.0
8 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Apr 16, 2022 at 8:05 | vote | accept | The concise | ||
| Apr 16, 2022 at 8:04 | comment | added | The concise | @Laurel Also note that the token is generated when loging in and it's temporary i.e it's regenerated upon each login and saved in a file on server. It's actually different from the hash stored in Database upon registration. The temporary one is used just for data requests by app. Even the temporary token is a hashed randomly generated characters (uniqid() ) and not the direct password used for login in. | |
| Apr 16, 2022 at 7:36 | comment | added | The concise | @Laurel Great details...Do you however mean i should store the user's plain password( e.g. 12345) in localStorage when login, and send it along whenever request is made to the server to password_verify it? Though it's an Android app and i also read one shouldn't store plain password in localStorage. Is the user safe with that? | |
| Apr 15, 2022 at 11:36 | history | edited | Laurel | CC BY-SA 4.0 |
added 300 characters in body
|
| Apr 15, 2022 at 11:21 | comment | added | KIKO Software | Yes you're right, the token does behave like a password. | |
| Apr 15, 2022 at 11:14 | comment | added | Laurel | @KIKOSoftware OP's comment says that the token is the only thing that's needed to get meaningful data. That means it is a password (albeit one not reused on other sites) and the attacker would have full access to the system with it. And anyone who wants the original password is going to be cracking their hashes offline. | |
| Apr 15, 2022 at 6:41 | comment | added | KIKO Software | I agree with everything you said, but I don't see any usage of plain passwords? Are you referring to the "token" which is a hashed password? I agree it's a bad idea to store a hash of the password on the user's computer, but a hash is not plain text. Remember this is code to only verify that an user is already logged in, we don't know what the code for logging in looks like. | |
| Apr 14, 2022 at 23:47 | history | answered | Laurel | CC BY-SA 4.0 |