Hello everyone!

I want to open discussion about authorization of user in system, where on server-side stands Phalcon, and on client-side we have Node-Webkit Application. On client-side, in order to authenticate, user have to enter email-address. Server-side will generate token, that will be sent on specified email (Something like «Click on link to active session: https://example.com/unlock/113c2728998e840f60e7f0cc71854dea»).

Client-side: On the background, when first part of authorization is complete (token generated & sent on user's mail), client-side will attempt to ask server about authorization (with specified interval).

After user clicks on link & client-side will attempt to ask authorization, if token was approved, then session will be unlocked, and user can access to dashboard of app.


The question is, how secure this method? At this time on Phalcon-server i'm using built-in session component, so there is no additional check (but it will be).

Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break. – (Bruce Schneier).


Thanks!