android sign in button and remote web login in PHP ZF2

Question

I googled and I only found documents on how to create a sign in button on your android application, or how to create a sign in button on your web application.

My scenario is that the android application retrieves information from my website using get/post http requests and getting json data.

I have a working android sign in button on my android application.

the question is that when i want to retrieve information from my website using get/post request, what information should I send in order for the website to know which user is retrieving that information and that the user is logged in ?

I know that I can't just send the google user id because that's not secured and easly hacked. I'm guessing I need to send some kind of access token and on the web site to parse that access token in order to know which user it is. but what exactly do I need to do?

My client side is PHP with ZendFramework 2 and ZfcUser with scn-social-auth for google login.

any information regarding the issue would be greatly appreciated.

thanks

Answer 1

In my previous staff project, i've implemented our Api modules for Zend Framework (it was version 1 but it is the same for version 2).

Basically, i've implemented the OAuth protocol 1.0 ( rfc at http://tools.ietf.org/html/rfc5849 ), that is a really strong way to improve the connection security between a generic client ( Android, iOS, Mac OSX, Windows Phone ,... ) and web service.

Shortly it consits into enforce the https protocol ( i hope you are working in httpS ) signing all the client get/post requests with the base OAuth parameters ( such as oauth_version,oauth_token,... all explained in rfc) in order to avoid MITM and proxy to alter the request. Using this method i've make a specific table into which store Request and Access Tokens.

So:

• Client has consumer key and consumer secret
• Server has same consumer key and consumer secret
• OAuth will use that keypair to authenticate the connection
• Client obtain "Request Token" from server
• Client perform common username and password login through OAuth workflow to the server
• Client obtain Access Token ( if login with success ) that will be stored on the token db table, and wil be used to check if that user on that device is logged in and so authorized to use the service (so you'll probably need a device guid also )

You can find good guidelines and good github projects on how implement your own OAuth protocol ( see also service like Dropbox or Twitter developer sections, about how they use OAuth for their service ). Consider that you can obviously customize your OAuth protocol once implemented, with additional controls and tokens ( i've used AES-256 encryption and RSA 2048 bit for some custom tokens, and also to encrypt username and password for the login with a received key combination in the previous step expected by OAuth workflow ).

In the end, you can connect the clients to your web service with your custom tokens so, once authenticated, you make you web service to interact with google service and return information to client always through your website

Hope it helps

Answer 2

If the user login server is the same with the one that you want to retrieve information,you can use the sessionId as the token.

1.After authentication,server store userId in the session 2.Server use session_id() to get sessionId ,return it to android client 3.add ?PHPSESSID=sessionId param to the android client http request. 4.Server get userId from the session

Answer 3

session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.

You can add GET parameter PHPSESSID to any requested url.

$manager = \Zend\Session\Container::getDefaultManager();
//$manager = new \Zend\Session\SessionManager();
$PHPSESSID = $manager->getId();