I am building a REST API application in Symfony2 and I am trying to find a good way to handle user authentication and authorization. There are many solutions, but so far none of them have touched all my requirements / problems.
The API will primarily be used in AngularJS SPA, where users will be logged in with a combination of username and password. It is important that GUI users can:
- login with username and password
- use the Remember Me checkbox to log in forever (probably a week or something like that).
- use "remember me" in different browsers at the same time (for example, facebook).
- delete cookies from the browser for user login
On the server side, I want to stay strictly RESTful. I came up with a solution that seems to be what I need, but I want to be sure that I have not missed anything.
Workflow of a successful login attempt from a server perspective:
- Get the POST on / login API endpoint with username and password
- Create a new token and return it to the client. Store the hash of this token in db.
- each db token entry must have a predefined lifetime (specified in config)
- datetime expiration should be stored in db
- hashes of old tokens should be removed from db when they expire (when trying to login or cron)
- there are many tokens with each other with the user - the user can have several active tokens at any time.
:
(GUI):
- POST API/login API
- , . cookie ( js, cookie)
(GUI):
- cookie , : Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ ==
(cookie deleted 401 response) , cookie .
, cookie, , , , , . cookie . .
? - ?