Im a developer with my roots in Web Development. I have always built my API's using PHP and now, moving forward and leaning more into App development with react native I have done the same.
I am using an SQL-database for my user data and I want to make sure that only users signed in can fetch the data from the database.
In webdevelopement the way I would solve this is through a cookie storing a PHP Session and using the user_id stored within that session on the server to make the request. Therefore the API would not accept GET/POST variables, rather the user_id for which we queried for was stored on the server.
From what I have read already session API's is not something that we want to deal with when working with mobile as seen for example within this thread How to manage session for a user logged in from mobile app in PHP?
To summarise the question
How do we secure our API when working with react native without having the user have to sign in over and over to reassign a SESSION on the APACHE server. I am concerned about this since if not done properly, if reversed engineered. A malicious user could start sending requests to the user with any POST/GET parameters as they please and thereby remove/add/modify user data in which it should not be able to.
Best regards. A.W
