Token authentication using PHP for mobile devices

Question

I'm writing an iPhone app to be the mobile version of my website.

I intend to expose some REST API so the app can update the user's data.

I do not wish the user to login every time, but I want to save his token/cookie and reuse it for all future requests.

I can setup a random token and pass it along with the user ID, but it's not very secure since it's easy to access it on a jailbroken device. I cannot restrict it using an IP, since the IP will probably change frequently (since it's a mobile device).

What's the best way to implement such an authentication which will be secure enough but won't annoy the user by asking him to authenticate himself often?

Answer 1

send the UDID or mac address with the initial login details to your server. create a unique token for this user/UDID (or mac) combination and send it back(encrypted) to the device if username/pass is successful. on subsequent access, the device sends the encrypted token and UDID/mac (over secure connection) for re-authentication.

if you want to put paranoid people at ease about tracking UDID, you could instead use the UDID/mac to salt the encrypted token, but this wont be as secure, but should do the job still.