iPhone Webservice authentication and access token

Question

I have an iPhone/Android native app. It uses PHP web services (RESTful). How do I add a secure authentication system for my web services? Some people suggest using access tokens. How do I generate access tokens and how do I manage them? My understanding is below:

1) In the app, request a web service to authenticate the username and password.

2) In the web service (on the server), create a unique and secure random key, store it as an access token on a MySQL database, and return it to the web service request.

3) In the app, store the access token and send it with secure web service requests.

4) Secure web services check whether the request contains a valid access token before fulfilling the request.

Are the above steps correct? If yes,then how do I expire an access token? Should I use a cron job (scheduled task)? Please suggest a better way. Any help will be highly appreciated.

Answer 1

Your above steps are valid. Here what you can do to expire the access token:

1. When user press the Log-out button in application, Log-out button will call a web service to remove the access token
2. You can set the session timeout for let say X hours. Call a Scheduler after X hours on server to remove the open access token.
3. Update the access token key when same users login again without logging out.