Implementing a token authentication

Question

Which are the steps must I follow to implement a token authentication in my web page?

Any summary or links will be appreciated.

I want to implement similar to F

Answer 1

see your point.

On the protocol level a very simplistic token approach is HTTP Basic Authentication. But this often doesn't fit, as there is no logout function etc.

A custom, simple cookie based approach can for example look like this:

• The server generates some kind of secret (a value that is hard to guess)
• When a user tries to access a protected resource, he is redirected to a login form
• after successful authentication he gets a cookie. This cookie contains three values: username, timestamp and a hash of {username server-secret timestamp}.
• with every user request the server recalculates the hash values and compares it to the value which the client sends in its cookie

(needs more consideration of: httponly and secure flag, transport layer security, replay attacks etc)

Amazon S3 stores its authentication token in an HTTP Header and uses HMAC for calculating it. It's described here: http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?S3_Authentication.html (Not necessarily recommended for using with a browser based web application)

If there is a book about REST anywhere near you, you may look if it has a chapter about authentication. Probably things are much nicer explained there than here :-)

There are some frameworks which are capable of doing this kind of authentication. For security reasons it would make sense to check them first before implementing your own stuff.