I write back-end code for mobile applications. I am needing to write the code for authentication and the simplest yet secure solution I can think of is:
- When user signs in, device sends username and password to server
- If credentials are valid server returns token
- User sends token with every request
Details about token
- In Java I can create token as
UUID
(which is created usingSecureRandom
under the hood) - I write this token into DB in
users
table in user row - On every mobile application request I make
SELECT ... FROM users WHERE token = ?
and check if current user is allowed to perform operation - Periodically I change
token
inusers
table to expire previous token
Is it good enough?
It seems secure, but I'm not a security expert so I thought I'd ask here. I haven't seen this solution before and I am wondering why.
- Someone would complain about performance because of hitting DB every time but in real application every request generates a lot of SQL queries so one more shouldn't be a problem.
- Someone could complain about UUID, but as far as I know in Java
UUID
s are presumed impossible to guess because of the implementation ofSecureRandom
.
Is this solution secure or are there any holes I couldn't see?