4

Firstly, no OAuth or other things supported in the server-side, just a normal username-password database querying.

I want to implement an android client for the web site. My questions are:

  1. How to login safely? with HTTPS?
  2. How to store user login information safely in the phone to make user login without any input in the next time.
  3. If user do some actions after login, how to id himself? how to keep the session? By copy and resend some cookies like "jsessionid" ?
virsir
  • 15,159
  • 25
  • 75
  • 109

1 Answers1

0
  1. HTTPS is obviously the best choice as the username and password will be encrypted between the device and the server (i.e. if the user uses airport Wi-fi their credentials can't be "sniffed")
  2. You can store the password on the device in SharedPreferences using PreferenceManager.getDefaultSharedPreferences() and access it later within your code automatically. You can provide an option for the user to clear the password. On unrooted devices, no other application or device can access your app's private storage so the data is safe. On rooted devices it is accessible, but security is one of the downsides of rooting
  3. It really depends on the server. Most websites with use a phpsessionid or jsessionid cookie. In that case see Android Http get Session Cookie and How do I make an http request using cookies on Android?

OAuth is of course preferred because this prevents the actual application from storing/having access to the server directly (instead, it's basically a long-term cookie)

Community
  • 1
  • 1
Oleg Vaskevich
  • 12,444
  • 6
  • 63
  • 80