Steam Authentication with lua in without using steam id

I am looking for a method for a secure session between a website and the client playing garrysmod. Something like a one time key that the client requests the steam authentication server to generate and then passes to the web server to compare the the one sent from steam. This way the client can’t fake their steam id and gain access to anyone else. Does anyone have an solution?

generate a token serverside then send it to the client, then link the key serverside to their steamid. when the client requests a sync they have to send their saved key to the server to verify that it matches. this way you can only sync if your key is the same as the servers, and its too random to just guess what key someone has

Just make the client go to a page on your website that will redirect them to Steam’s OpenID interface. Let Steam do all the work.

I think there is are some flaws, when they get onto a new machine that does not have the key they are unable to resync also anyone could request a key. The problem is not transfer security it is insurance that the person is who they say they are.

-Edit: So think of when a person connects to a server, they send a randomly generated key that is based off something the steam server gave them. The server then can check if that is a valid user that is logged into steam, that is why you can’t bypass the login.

[editline]19th November 2014[/editline]

I was hoping for a better method, I use steam openID and it would be great for them not to have to login through it.

make the key generate only once unless revoked and regenerated, make the user sign up for the sync site including their steamID and have email verification, then make an option where a user can revoke their key and generate a new one that they can use on a new machine. i also have no idea how you would do this on the webserver, but if its possible good luck

Fun fact of the day, if it still works like it used to, openID through the Steam UI automatically logs in without them having to type anything. Redirect them to the login page, and it’ll auto redirect back to destination.

That does not sound like too bad of an idea, I guess that will work. Thanks everyone.