0

I read from this post that the best way to authenticate a user to a custom service is to use token-based authentication: send username and password for the first time and retrieve the token from the server. But I did not understand some details of this process:

  1. What period of time should the token be valid?
  2. How to store the token on the mobile device (SQLite, file; encrypted or not...)
  3. When the token expires, the user will have to authenticate himself again but isn't that behavior annoying. We could do silent authentication but to do that we need to store user password on device what is not correct.
halfer
  • 19,824
  • 17
  • 99
  • 186
Fairy
  • 509
  • 1
  • 9
  • 27

1 Answers1

0

1. What period of time a token should be valid?

This depends on expected usage of your application. You will be able to decide this once you know how many times a user would open the application everyday and also how much time he/she needs during one session/interaction with the application. Lets assume you are developing a social media app where user will open/close the application several times a day. For such an application the lifetime for token should be longer.

2. How to store token on mobile device (SQLite, file; encrypted or not...)

Simply using Shared Preferences is enough but make sure to update the token whenever its value is updated on server side.

3. When token expires, user will have to authenticate himself again but isn't that behavior annoying. We could do silent authentication but to do that we need to store user password on device what is not correct.

You can also perform silent authentication without saving username and password on mobile side. Just update the token when API is called with the expired token.

Jordan
  • 713
  • 15
  • 30