0

I have a REST API that is accessed by a mobile app. I've included some basic authentication configuration, one of them being based on time; the client (Android) gets the system current time (Java command System.getCurrentTimeMillis() --> the difference, measured in milliseconds, between the current time and midnight, January 1, 1970 UTC ), and when the server processes the call, it does the same, and then compares both value and of the difference is less than say 10 seconds, it considers the call valid.

The problem is that I'm seeing some (just a few, actually) calls in which the difference between client and server is about 1 hour, what makes me think that maybe this Java function can somehow be affected by some internal configuration on the device...

Thanks!

vanderflo
  • 137
  • 11
  • 3
    Well yes, if you manually adjust the system clock on your phone, that will change the results of `System.getCurrentTimeMillis()`... (It's not clear that what you've implemented is really authentication though...) – Jon Skeet Jan 23 '15 at 11:37
  • Check if the timezone is the same for both client and server. – Bruno Marco Visioli Jan 23 '15 at 11:39
  • (A) Why would you care what time is set on the clock on the client? How does that provide any security? (B) search StackOverflow for terms like java, date, and Joda to find hundreds of helpful Questions and Answers on how to handle date-time. – Basil Bourque Jan 24 '15 at 17:32
  • possible duplicate of [java.util.Date is using TimeZone?](http://stackoverflow.com/questions/1516213/java-util-date-is-using-timezone) – Basil Bourque Jan 25 '15 at 00:03
  • @BasilBourque: Definitely not a duplicate of that. – ruakh Jan 25 '15 at 08:26

1 Answers1

2

Now, I'd recomend that you use a library like Joda Time (or the new date and time api on java 8).

Java's old time api has several issues that might be affecting you. One that I can think of now is day light saving time. Depending on how you're server is configured that could lead to the scenario you're describing.

By the way, what you're doing is not authentication. At best, it's authorization. You allow a request to be processed based on it's creation date.

Lucas Leite
  • 457
  • 4
  • 6
  • Exactly, I said authentication and what i meant was authorization :). Already using Joda time and looks like some of the problems have vanished, thanks. – vanderflo Jan 26 '15 at 19:57