The issue which I am facing is how do you authenticate an user and subsequent user request being sent to the server as valid or invalid ones?
For the first time while registering user will enter his email and password that will be saved on the server
Now from now on there are two different scenarios:
User reinstalls the app
- Now he will not register but only login again by entering his earlier provided email-password and will be authenticated if the credentials are correct than
truestatus will be sent back with an user id may be.
- Now he will not register but only login again by entering his earlier provided email-password and will be authenticated if the credentials are correct than
Authenticating subsequent request (usual application functions): Now with every request he made through the app it has to be authenticated and Something has to be sent along with the request data to identify user, what that would be?
- Username & Password:
Can't send username-password because I will not have passwords saved in the device due to security issues.
A token [GUID] that was issued when he logged in
- Where would I save that token in device?
SharedPreferences? - It is impossible to decode the app and ready data stored in SharedPreferences?
Ideally what should be token expiry date?
Someone told me that I would also need to use
devieIdwhile implementing this? But I am not sure how and where. And also I find out that DeviceId are not Unique until gingerbread release?
This is a very basic thing every app must be facing and working in this scenario so isn't there a standard, defacto pattern or officially written framework of doing this? Did you all just implemented your own ways?
Ideally I am looking for something like The definitive guide to form based website authentication for mobile.
