I'm trying to create a login system with a Web Service,(I'm using axis2).
I have already created an Database, where I have a table with user and pass(binary(20)). I save in the pass field, the SHA1 of the password.
CREATE TABLE users(user varchar(15),pass binary(20));
INSERT into users (user,password) values ("user",UMHEX(SHA1("mypassword"))
My questions are:
Shall I sent to my web service the password, and then create SHA1 to check if the information is correct. Or sent to the web service as soon the SHA1 of password?
I already tested BetFair Web-service, and its use a login system with a Session token, This is better than: always send the user and Password/SHA1, no?
2.1. What is the best way to generate a session token?
2.2 I will need to save opened "Session-token" in a table, maybe in User table, no?
Thanks.
First of all you shouldn't be sending clear password across network, it can be easily hacked.
So what you can do is SHA it around and send it to web service, the login process will check and generate a session token and return back from API.