mobile application with membership design
Question
I have made an json api for a database which has some products, and some users who can add and search for these products. So a user have a login/pass, with these credentials I can do POST api calls.
I now want to make an iPhone / android app, and I'm wondering how to handle these post requests : first time I'll ask the user credentials, then I'll be able to do one POST request. But where do I store these credentials ? on the mobile ? should it be persisted then at the next application start, the login will still be there ?
Any helpful link is welcomed.
1 answers
solution1
1 ACCPTED 2012-07-08 22:03:40
I wouldn't store plain text or encrypted login credentials at all but implement an OAuth-style login procedure where the user logs in once, the server validates it and generates a relatively long random string as authentication token (compared to usual user passwords).
The advantage is that this random string is gibberish. If that token would leak to a third party, they basically have only a key to your service and not a universal key that could grant access to other services, too (because people are usually too lazy to memorize different passwords for different places and that can be exploited).
So basically you would do your users a favor and increase their security.
In case of Android, that token can be stored in your app's private storage, which can be considered as safe because other apps don't have access permission (not considering rooted or compromised devices, but that shouldn't be your problem).
For authentication with your server you just add that token as an additional header value for example to your app's HTTP requests.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.