faced with the task to make user authorization, then get the data of this user
I don’t quite understand how exactly (correctly) authorization takes place (with subsequent data management), but tell me if I’m doing everything correctly:
during authorization, I generate a type token - a шифр(User-Agent + IP + salt + etc...) , I hang up cookies ... It seems to be all right, but how do you then identify this user? How can I get his posts on this token? if you write this token to the database, then there will be only a single authorization, the user will not be able to log in from different devices ...
COOKIE:
Auth: 6477288ea38dd982b60fc2ea75e25b78379bba28
then I decided to use sessions ... I set the session cookie lifetime more than usual, change the name, value ... set values in this session (first name, last name, unique user ID) - all this is open, without encryption. The value for the session cookie is - random_token + '-' + шифр(User-Agent + IP + salt + etc...) Part 2 is needed in case the cookie is stolen.
SESSION COOKIE:
Auth: blwdoIAdmWnfewAOWfvAdwd-6477288ea38dd982b60fc2ea75e25b78379bba28
SESSION data:
Array ( [auth] => Array ( [UID] => 321 [NAME] => username [LNAME] => userlastname ) ) is it safe? is it right? How does the authorization, data manipulation on cool sites, in applications (Android) take place? Do they use sessions? Why do some install a token on a subdomain? With each request, redirect the user to the subdomain and then back - so what?
