I am confused a bit about a matter. I have made a restful api in php where the entry point is index.php.
Now the point is when a user 'll login a random generated token 'll be sent to the user and from then for any request(to receive html page or json data) user has to sent the token with the request, else user 'll get a 401,unauthorised response.
Now when user 'll make an ajax call the the token has to be sent via http header; and there is no problem. But my confusion is when a user ask for a html page(e.g. report.html) how 'll the user sent the token to authenticate himself/herself before accessing the page?
Currently my solution is as following;
http://host/app-name/page/token
Is it the right way?
For your information login page can be accessed without token.