Android App Strategy for keeping track of a login session

Question

I have some PHP script that logs in and returns a JSON array with a session ID if the login was successful.

In my app, I want to login at the front page and continue out through the app being logged in. I created a singleton class that holds a session ID (along with a few other fields) received from the JSON from the PHP page. This singleton object's field "session_id" gets checked depending on what the user does.

If the user wants to log out, then the session_id just gets set to null thus logging out.

I also use the HttpURLConnection library to POST the username/password when logging in.

Is this a decent enough approach for handling this situation?

That is also the approach I use, but I am interested in other alternatives as well. — Guido, Oct 09 '11 at 20:48

SBerg413 · Accepted Answer · 2013-11-14T13:10:18.637

Here are some things you should think about:

Once you have authenticated the user and stored the session_id locally, send the session_id in the header of each of your http requests. That way, you're not sending the credentials with each request, but the session id. And if something happens on the server side to the session, the transaction will not be allowed.
When logging out, don't just delete the session_id on your app (client) side. Send a logout to the server as well so that the session can be killed server side.
If the session is killed on the server side, you'll want to do 1 of 2 things A) prompt the user to re-login. B) Use the store credentials to log back in, create a new session id and store it again in your singleton.

This will guarantee a bit more security and functionality than just clearing the session id on your app side.

I don't think he is making any more http requests other than the initial login one. Most of his functionality seems local. +1 for mentioning the correct way to do authenticated requests. — Mike L., Oct 09 '11 at 22:04

score 0 · Answer 2 · answered Oct 09 '11 at 20:58

0

This strategy will probably work. In an app I worked on, I stored the return data from login in the android shared preferences. If the user logged out, I cleared the preferences. This allowed users to stay logged in, even if they closed the app and went back in later. I had an authentication token that I checked to see if the user's login was still valid.

How do you plan on handling persisted logins? Does the sessionID expire? You might want to think about these situations otherwise once a user is logged in, they will be logged in forever or as long as the app is open.

answered Oct 09 '11 at 20:58

Mike L.

591
6
16

@ Mike L Need your help .I have a webservice in which I have a method name generateToken.This Token method is used fot the session for that particular User.Meaning that When user login's in first I have to get the token for that User for some time that Token is valid and user have to get another token after first one expire's. Can you help me how to store Session token i.e Cookie based using KSOAP 2 – Pro_Zeck Jun 05 '13 at 21:34

Android App Strategy for keeping track of a login session

2 Answers2

Linked