0

I have a PHP server with username and password to log-in to the private section. Right now it works fine, because once I have inserted username and password, the server stores my $_SESSION and I can surf from the browser correctly. I want to replicate something like that with a Java Application (Android). I'm thinking about what is the best way to authorize that client for the server; in the Shared Preferences I save the username and password so those values can be easily accessed to all the application so for a POST send. Do you think is better to send the server the SESSION_ID when I need or send the username and password every time I need to access the private section ? I'm going to implement the HTTPS protocol, so the data "should be safe". But in all case, is better to deal with session ID or username and password ? Thank you in advance for your reply.

I love coding
  • 1,183
  • 3
  • 18
  • 47
  • Are you trying to access and login to the php site that uses sessions from java/android or trying to implement something similar to sessions in java/android? – Jonathan Kuhn Mar 05 '15 at 20:21
  • Well the goals is to send some values to the server from Android to the PHP server (so some query into the database). I don't want to to have the username and password of the MySQL DB in Android, because someone can steal them. I want to improve the security. So do you think it will be not a problem to send a post request with username and password, the values over HTTPS and PHP page will check if the username and password are correct and then make the insert in the DB, isn't it ? – I love coding Mar 05 '15 at 20:26
  • I don't do android dev but a quick google shows that android uses the apache http class ([see here](http://stackoverflow.com/questions/3505930/make-an-http-request-with-android)). Another search shows how to use the http class with cookies ([see here](http://stackoverflow.com/questions/9051265/java-apache-http-client-usage-examples-showing-use-of-cookies-and-extracting-r)). When you submit a post with the username and password the session id should be set in the cookies. Later requests you should just supply that session id and it will be "logged in" – Jonathan Kuhn Mar 05 '15 at 20:33
  • As far as security, if you are planning on having someone type in the username/password, they it would be fine. If you are expecting to add the username/password to the source of the app, it would be insecure as someone could likely get the values from the source. – Jonathan Kuhn Mar 05 '15 at 20:34
  • Thank you for your reply. Well I have found the link you replied me and for this I thank you again. So if I send username and password of the credential of the user (not the username and password of the DB in the Android app) over the HTTPS protocol, should I be safe ? – I love coding Mar 05 '15 at 20:39
  • It depends on what you are doing. There is a lot here that can make this unsafe. If you are just storing a username and password in the source of the app and sending that, someone could easily get that username and password and send requests to the protected site as if they were the app. – Jonathan Kuhn Mar 05 '15 at 21:32
  • The point is that with HTTPS it should be safer for avoid attack with Sniffer. Of course if someone has the mobile phone with App can get the username and password stored there. Are you agree with me ? – I love coding Mar 05 '15 at 21:39
  • yes. that is correct. – Jonathan Kuhn Mar 05 '15 at 22:09

0 Answers0