0

I am in progress of creating an Android Application which should have ability to share content with other users and I am planning to use PHP backend.

I want users to log in to my web service to avoid trolling and filling my service with useless data.

But now that I am using Android to access the service, I know its simple to create a HTTP post and send the login credentials to server but how to keep the session alive?

As far as I know its common to just keep the application logged in to the service with mobile phone, at least when there's no personal data available.

How should I store the data that Android device has been logged in?

Lets say I created a MySQL table that would contain the user, password and id.

I thought about generating unique id for the device, using ANDROID_ID or IMEI and associate it with the user id that has been logged in my web service, but that doesn't seem secure enough.

How does other applications do this?

Ruuhkis
  • 1,924
  • 1
  • 27
  • 46

1 Answers1

1

You can continue to use a session if you read the cookie from the first server response (set through Set-Cookie) and send it in subsequent requests using a Cookie: header. Just the same way a web browser does it.

It depends on the HTTP library you are using, how it is done.

akirk
  • 6,757
  • 2
  • 34
  • 57
  • so lets say if after successful login I set something like $_SESSION['user_id'] = $user->id and $_SESSION['logged_in'] = 1 and store the session cookie that php generates there's no way to hijack this? – Ruuhkis Apr 05 '13 at 12:55
  • Well the risks are the same as with a regular web browser. If you use HTTPS hijacking is quite unlikely. Mind you that the session cookie actually only tells PHP the file on the server where to find the session variables. – akirk Apr 05 '13 at 12:58
  • So this is the way how its usually implemented in actual websites, by using the PHP session? (assuming they're running php..) – Ruuhkis Apr 05 '13 at 12:59
  • Yes, it usually works through cookies. See this question: http://stackoverflow.com/questions/1535697/how-do-php-sessions-work-not-how-are-they-used – akirk Apr 05 '13 at 13:01