Role Based Access Control (RBAC) with Tokens – PHP

1) User logs in – Authenticate the user – send back user data and privileges with a secret key (token) –
2) Have some kind of expiry mechanism for tokens – may be kill them when the session/cookie expires
3) For tokens with cookies delete the old token and generate a new token for every login
3) Regenerate every time user logs in – store the token hash in the database with the user agent so that you can send multiple tokens for same user on multiple devices/browsers etc
4) Load all the received user permissions in sessions and client side storage and build the website
5) Send tokens with every call you make to the back-end
6) Back-end, do an authorization check and privileges for every call with the token
7) For privileges check use dictionaries to store query results so that you don’t have to query the database all the time.
8) when there is an update in the database update the dictionary
9) For the UI designed in JavaScript, If the user modifies the script to get more permissions, ultimately needs a back-end call change something in the back-end, as back-end already does authorization check for every call, need not worry about user modifications of the script
10) Use minimal script to reduce the workload

References:
1) https://scotch.io/tutorials/the-anatomy-of-a-json-web-token
2) https://scotch.io/tutorials/the-ins-and-outs-of-token-based-authentication
3) https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
4) http://www.sitepoint.com/role-based-access-control-in-php/

Advertisements