Hi,
I plan on making a game that uses a web server to connect to the game's database. I created a basic PHP token authentication system where the user requests an authentication token from the server. The token is valid for one hour, can someone tell me how secure this is and if there are any easy ways to break into it?
1. Username/password is stored on client's device in keychain.
2. Username/password combination are sent to PHP server to be validated and a token (randomized 30-character string) is returned WITH a token_user_id.
3. For each HTTPWebrequest the client's device sends thereafter, the token AND token_user_id are sent as parameters to validate the user. The token and token_user_id MUST match in order for any further requests to be completed.
Is there any way this can easily be hacked? I decided to send a token_user_id along as well so that nobody could just bruteforce token strings hoping to match one that already exists. Now they must match both the token as well as token_user_id to the same user.