We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Authenticaten API maybe too much?

Hi.

So i'm converting my website i have to API based, the frontend api is done but then i have to make a backend API with login. I have been thinking of authentication API to my login and now i'm trying to reverse engineer it a bit.

We hare currently 2-3 users maybe a bit more that need access. i still need to be secure and not just a MD5/SHA1 encrypted password in a database.

i'm thinking of looking at https://docs.phalcon.io/en/latest/reference/security.html and use that instead of using OAuth2 or OpenID etc i think that would be too much.

I plan to do a route to /login and do a check on that, return a cookie or maybe just a session, not sure.

please come with inputs :)

Hi @zyxep
I would use a sha256-Hash with some salt. (https://en.wikipedia.org/wiki/Salt_(cryptography))
For example, this can be the creation date of the user or something like that. For hashing this is secure enought
Then I would use secure sessions. https://stackoverflow.com/questions/328/php-session-security and perhaps this one https://de2.php.net/session_regenerate_id

But the strongest argument which security I choose is how strength my data has to be protected. So think about it,