hi guys!

I am trying to create something safe, but not terrible.

What I need is to find a user in my database and then edits fields in that user.
The way I currently do this is with code like this:

exports.buyItem = function(req, res, next) {
var token = req.body.token;
var playerID = req.body.playerID;
User.findOne({ token: SHA256(token)+playerID },
///implementation ( do something for that user)

Explanation:
When the user logs in, a randomly generated token is created.
The token is then sent back to the user.
And it is also hashed and stored in the database (concatenated with the playerID)

Now each time my user makes a request to the database he sends the token to the server which then validates as in the code above. (It checks if the hashed token +playerID is in the database)


Now, my questions are:
1. Given that the server would have a lot of traffic, would calculating the hash every time a user requests something be a problem cpu-wise?(the SHA256 part)
2. got any suggestion as to what I should do differently if this sucks?
3. Do you see a problem with the implementation?

I would prefer not using cookies.

what are you trying to solve? what's the significance of using a one-way function? one-way functions are used to ensure the same input without knowing what the input is. i assume that token is just some guid and nothing meaningful?

This post was edited by carteblanche on Sep 12 2015 09:10am