怎么创建一个供 mobile App 调用的登陆 API？

在sof上看到一个答案，有点不能理解，求助。

http://stackoverflow.com/questions/3963877/creating-an-api-for-mobile-applications-authentication-and-authorization?rq=1#answer-3965689

The way I'm thinking about doing the login part of this in my projects is:

1. before login the user requests a login_token from the server. These are generated and stored on the server on request, and probably have a limited lifetime.

2. to login the application calculates the hash of the users password, then hashes the password with the login_token to get a value, they then return both the login_token and the combined hash.

3. The server checks the login_token is one that it has generated, removing it from its list of valid login_tokens. The server then combines its stored hash of the user's password with the login_token and ensures that it matches the submitted combined token. If it matches you have authenticated your user.


1、登陆前服务器先生成一个有lifetime的login_token并返回给app；
2、app先计算密码的hash值，然后将密码和login_token进行hash生成一个值，最后将login_token和combined hash一起返回；
3、服务器检查login_token，如果符合将它从可用login_token列表移除。服务器将用户密码的hash值以及login_token结合来验证和上传的token是否一致，一致则授权成功。

问题:第3步这里"its stored hash of the user's password"是什么时候保存的，第2步没有保存这个东西啊。