12

I'm interested in the best way to do user auth in a mobile app. At the moment the set up is quite simple. I'm storing the username and password on the app and sending it to the api each time I need to run a restricted query.

This I feel is probably the wrong way to go about this.

Would a better way to be to send the username and password when the user logs in and then store that user's id? The problem with this is that then the api accepts a user id and not a username and password. A user id will be much easier to "guess" at and malicious persons would be able to submit a req to the api with randomly selected user id's performing actions under their account. I have an api key. Is this secure enough?

The issue is that I want to start integrating twitter and facebook oauth into the app. I haven't read much about it, but I think you get a "token". How would this work with the set up that you're suggesting? Would there be benefit to creating a token in my own database of users and using the token (whether it be mine, facebook's or twitter's) as the authorisation? Or would it make sense to keep each service separate and deal with them separately?

Thank you.

Thomas Clayson
  • 29,657
  • 26
  • 147
  • 224

1 Answers1

10

The correct way would be to generate auth token on the server when user logs and send this token in login reply. Then this token is used in subsequent requests.

This means that server must keep track of auth tokens it generates. You can also track token creation times and make tokens expire after some time.

Token must be a sufficiently long random string, so that it can not be easily guessed. How to do this was answered before: How to generate a random alpha-numeric string?

Personally I prefer the UUID approach.

Update:

This problem was already solved in web browsers, via cookies and sessions. You can reuse this mechanism in your Android requests (though some REST purists disprove this approach):

  1. Enable sessions on server.

  2. When user logs into a server add some data to session, for instance time of login:

    request.getSession().setAttribute("timeOfLogin", System.currentTimeMillis());

  3. Since sessions are enabled, you also need to enable support for cookies in your HttpClient requests: Using Cookies across Activities when using HttpClient

  4. Every time a request is made, server should check if session contains timeOfLogin attribute. Otherwise it should return HTTP 401 reply.

  5. When user logs out, call server logout url and clear the cookies on client.

Community
  • 1
  • 1
Peter Knego
  • 79,991
  • 11
  • 123
  • 154