Ionic 2 and sessions/tokens


I know there are a few threads about sessions/tokens and using ionic, but my scenario feels a bit different so I’m asking this question.

I have an existing web application with a login where I query a Microsoft SQL Server database when a user fills out my login form and then I set a session variable(s) such as loggedin = true; or whatever. I’m building an ionic 2 app and want to (ideally) leverage my same SQL Server database for authentication. I don’t want to use a social login integration.

  1. I’m using PHP on my server so how can I generate access tokens,refresh tokens, etc without using third party services? I’d like to not introduce more technologies if I don’t need to.

  2. Do I need to store token information with the user’s record in my database?

1 Like

I would recommend JWT. There are PHP implementations. No, you don’t have to store tokens in the database; just a single signing key.

So @rapropos, once the user has authenticated and they have a token on their device, how do I look up subsequent information about the user. My database is relational and my tables typically have a “user_id” column for example. So if the user is on their phone and wants to update say their profile information. They fill out the form on the phone, hit save, I make an API call to my app all I have is a token to work with, how do I relate that token to the user if that makes sense. Or are you saying I store the single signing key in the database with the user record?

Typically you would store the user id in the “sub” (for “subject”) claim of the token. I don’t speak PHP; my backends are in Go, so hopefully you will at least sort of get the idea from this:

func issueJwt(subj string, signingkey rsa.PrivateKey) (string, error) {
	claims := jwt.StandardClaims{
		Subject: subj,
		IssuedAt: time.Now().Unix(),
	authtoken := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
	return authtoken.SignedString(&signingkey)

…and then in subsequent requests,

claims := jwt.StandardClaims{}
authtoken, err := request.ParseFromRequestWithClaims(req.Request,
		request.AuthorizationHeaderExtractor, &claims,
		func(*jwt.Token) (interface{}, error) {
			return JwtVerificationKey(ctxt.baseContext)
// boring error stuff omitted
uid, err := strconv.ParseUint(claims.Subject, 36, 64)

My userids are 64-bit integers encoded as base 36 strings inside the JWT. Obviously you can use any encoding method you wish, as long as the code that issues the tokens and the code that reads them agree on it.

Thanks for the reply, I will check out the jwt site and see if I can put something together with php

One other thing in case this wasn’t clear: by “single signing key” I mean that you do not have a dedicated key for each user. Instead, all tokens are signed by the same key (and verified by the corresponding public key). That key does need to be in the database somewhere (or otherwise available to the application-level middleware).

Waiting for learning