PHP REST API - Authenticate

Question

I'm sorry to put another REST Authenticate question on the website but I really need to get a complete answer. I have a REST API in which I try to log in a single page website (through jquery).

I want to create a token based authentication, but there is some step I still can't understand.

At first, do I have to make a normal authentication to get and store in db the user login/password ? Do I have to use the user session to store the token ? Does someone have an exemple of php code that I can use ?

source :

• PHP rest API authentication
• http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/

----------- EDIT ---------------

Ok, I have some news to add.

• First, Yes I have to make a normal authentification by sending the pair login, sha1(login+passwd)
• After, No, never use the session like a secure way to store data, the login and sha1(login+passwd) will be store in database or in a application scope storing solution, like an haspmap.
• But I still need you if you have a piece of php code. It's the reason why I put my answer as an edit.

Answer 1

Oh, I just see the badge "no view and no answer for a long time" and it bring me back here. I've finally found the answer :

The register is something you do only one time so you can send the hash key without a really good protection. (I mean against sniffing).

So here is the scenario to register :

• Client enter login and password
• Client sends login, hash (sha256(login + password))
• The server store this pair in database (you can cache it in hashmap to increase speed)

Now for the login

• Client : ask for a session salt throught a rest service or hidden field in html page.
• Server : generate the salt from datetime and random and store in session
• Client enter the login and password
• Client javascript hash sha256(sha256(login + password) + salt) and store the pair (login, hash) in the localstorage (html5, be carefull to modernizer or other stuff like this, this pair need to stay private)
• Server check if (sha256(stored_hash_for_login + salt_in_session) == hash received)
• Server : if it's ok store the token shared with the Client
• Client logged in

Now Everytime the client want to make a authenticate request, he will use the following method :

• get the pair (login, token) from localstorage
• generate a hash of is request like this :
• hash_request = sha256(login + sha256(token + timestamp) + sha256(token + paramA) + ...)
• The param need to be in alphabetic order.

The Server receive the request (login, timestamp, params, hash_request), check if the timestamp is not too old and do the generate the hash_request from the token in hashmap for the login and check if it the same. In this way, you avoid the replay (timestamp) and the clear password.