stackoom
  简体   繁体   中英

Do I need to use PHP sessions in my Android app?

 原文  2012-03-21 23:19:31       android/ authentication/ php

Question

I have created an Android app that communicates with a PHP web server. They both send JSON to each other. My app is almost finished, however there is one thing left to do: authentication.

Since the user's username and password will be stored in Android SharedPreferences, is there any need to use PHP sessions, given that the user won't need to enter the username/password at every request?

Since I can just send the username and password in the HTTP POST header for every request, and that I will be using SSL, is this sufficient? I guess I could add an extra field in the header called 'random' that just adds a random value, just to use as a salt so that the encrypted SSL payload will be different every time.

The reason why I don't want to use sessions is that my Android App would either have to handle cookies, or managed the storage of the session ID.

If there are some serious cons to using my method above, then I'm more than happy to use sessions.

4 answers

solution1
 1  2012-03-21 23:24:27

Personally, I'm against sending the username and password in the request each time. One thing you could do is generate a unique ID when they log in, and store that in a database on your server, then just pass that instead of the username and password.

solution2
 0  2012-03-21 23:23:02

I believe that you will be fine with what you have now. As long as you make sure that the user info is securely transfered. The salt is a good idea. It really just depends on how secure you want it.

solution3
 0  2012-03-21 23:28:08

It is very bad practice to send account credentials in every request. I think the better way to use Google OAuth2 API - it is VERY simple and safer than local accounts database. Have you considered that option?

solution4
 0  2012-03-21 23:29:56

I think Google have given this a lot of thought, so doing something similar to what they do wouldn't be a bad idea. If you look at the way they do their

  • login process, ie https://accounts.google.com/o/oauth2/auth

and especially their

  • token freshining, ie https://accounts.google.com/o/oauth2/token

it might feel like overkill, but you might come away with some ideas that could be valuable to your own implementation.

EDIT: oops, almost forgot the documentation link: https://developers.google.com/accounts/docs/OAuth2

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Do I need to use SyncAdapter for my app? Do i need to encode/decode Laravel's APP_KEY to use in my Android project? Do I need to register my android app in API console to use Geofences? If my Android Things app has no UI, do I need to use background threads? do i need ssl on my webserver for my android app What to I need to do to on my server to communicate with an Android app? Do I need a own website to publish my Android app? Do I need to protect my Android app from being copied? do I need classification method for my android gesture recognition app? Why do I need to use two services in my app?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM