Home/ Questions/Q 6939737
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T12:39:37+00:00

I am trying to implement a thing like OAuth in PHP and what I

  • 0

I am trying to implement a thing like OAuth in PHP and what I want to do is give tokens to users so they can use their private resources. Every user first must login with their email and password and get a unique token which would be valid forever unless it’s idle for “n” minutes. So if there are zero requests for “n” minutes, the token should be destroyed. The token would be used to access private resources by users.

One thing I can think of doing this is as…

I would maintain a db table of named user_tokens and as they login with their username and password the entry with unique token would be created there. The last accessed timestamp would be set and user would given the unique token as response. The token now can be used to access private resources of user and would be required to pass with all request requiring token. Every private request would check if the last timestamp and current timestamp has “n” minutes of difference, if yes, destroy token. Otherwise send response with requested resources and set last timestamp to current timestamp.

Does that make sense? Or there can be another efficient way of doing this?

I would like to add that the token must be like what twitter or facebook returns out of their API.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you’re looking to implement OAuth using a library you should check out the HTTP_OAuth pear package by Jeff Hodson of Digg[1], and there are a bunch of good posts on this site about database design to use with Oauth[2].

    I think I’m confused about your question, though. Are you looking to make an API for your web application, or just provide a way to protect a user’s resources? If you want to make an API, you should definitely use OAuth and also use a well known library. Doing so will ensure that:

    1. Other developers will know how to use your API because it follows the OAuth RFC[3]
    2. Your web application is much more likely to be secure
    3. You become aware of best practices and learn some new stuff

    If you aren’t looking to make an API, and just want to protect user resources, I think you would be safe using sessions[4], and, if the user is not logged in they can’t access the protected resources.

    [1] HTTP_OAuth Package : http://pear.php.net/pepr/pepr-proposal-show.php?id=607
    [2] Oauth Database Design : what is the recommended database structure for OAuth Provider
    [3] Oauth RFC : http://oauth.net/
    [4] PHP Sessions : http://us2.php.net/manual/en/features.sessions.php

    • 0