8Eyl
What’s the best format or way to generate a short-lived access token?
I'm creating a fairly basic authentication mechanism with username and password. The auth flow is essentially:
- User inputs their username and password
- On the client side the password is hashed
- The client sends the username and hashed password securely to the server
- The server verifies the user and hashed password
- If credentials are good, the server issues a short-lived access token to the client
- In subsequent requests requiring auth, the user passes in the access token in the auth bearer header
I'm wondering on the server side what the best way is to generate that short-lived access token? I'm guessing as long as it is enough bits it should be fine, especially since the token is short-lived.
Just take some random thing and add some additional randomization and hash that?