Android + node js authentication

Question

I have a node js server and an android client. Basically I have two options for authentication: rest api + http basic or sessions. I prefer sessions, because storing user credentials to the memory of a phone doesn't seem like a good idea. Session id is temporary, so storing it would not be a security issue.

I've tried the following approach: On node js I'm using express-session middleware. On client side, session id is stored in variable SID. With every request, cookie "connect.sid=SID" is set. If response contains set-cookie, SID is set to match connect.sid. However, this approach does not work. I could however generate my own id and not use express at all.

Also, I don't understand browser behaviour with express sessions. I'm using https, if that makes any difference. It works fine, but first of all, all requests create 2 operations: one with OPTIONS method and the other with the actual operation. The response to options request returns set-cookie. In actual operation requests, cookie "connect.sid" is set. In every request the id is same BUT each set-cookie returned by the server has a different id and the id sent by the client does not match any of these ids. Could someone explain what's going on?

Authenticating to a server with a mobile application is a very common situation these days. What is the recommended way to handle it (without third parties)?

Answer 1

Could someone explain what's going on?

I suspect that your implementation of the cookie handling in the client-side (Android app) could be the cause of the problem.

I developed an Android app with node.js and I saw a similar problem using an RESTful API. In my case, I used the Retrofit2 REST library. This library is based on OkHttp3 API for dealing with HTTP request/response. To solve my problem with cookies, I included the code showed in the answer https://stackoverflow.com/a/34886860/7183182, where the main pieces were the PersistentCookieStore implementation and the JavaNetCookieJar class. If you use the HttpURLConnection, the PersistentCookieStore implementation can be passed to CookieManager. The Android documentation shows how to use specific CookieStore implementations here and here.

Authenticating to a server with a mobile application is a very common situation these days. What is the recommended way to handle it (without third parties)?

I recommend use the OAuth solutions, where the API key (or access token) is stored in the client-side using SharedPreferences.

Session id transported through cookies is an solution, but it is problematic with native or hybrid mobile applications.