I am developing a platform that has 3 applications, probably going to be 4.
First one is the client website, made using phalconPHP, second one is the clients intranet, where he can manage his website, the there is the administrator, where I can create new websites and manage my customers.
Last one is the API, everything should be accesible via API too.
My initial plan is to use JWT as authoritzation method, I have some doubts thought.
1.- Once JWT token has been created, I need to store it somewhere on the client so that I can be sent on every new request, what I don't know is where to store so that PHP can access it and Javascript can access it too so that I can make AJAX requests with the token.
I need a way to make this possible in a secure way, HTTPS will be always used in my app, but there is this one problem that I'm not sure how to solve.
I repeat, JWT token should be accesible by both, JS and PHP. How do I do this in a secure way?
Also, I was thinking about adding the PHP_session_id into the JWT payload, and add auto-renew too, that means that a token is usefull only for "user" that made the log-in. Is this aproach secure?
Hope you can help me.
Thanks