After writing a login system working with PHP + MySQL on the server side and Unity (c#) on the client side I have a problem. I'm implementing the user actions. I have segmented every action in independent PHP files (login, register, getfriedns, comment, etc.) I do the classic username + password login, after that, I generate an access token and send to a client. How can I assure for every action that the user has actually logged in the app? I was thinking this:
File POST requirements Result GetFriends.php username array friends
should I send the accessToken for every request to block any user trying to use this file without permission? Like logging every time? I've read that web browser has the Session and the cookies so I'm trying to copy that behavior.
Note: encryption it, not a concern now, I want to implement the basic workflow first.
The accessToken ensures that the one who is trying to access the data from the server is the authenticated user.
It doesn't necessarily be logging every time. At the time of username/password login, the accessToken needs to be generated and it should be used of all the subsequent requests until the user logs out or the accessToken gets refreshed.