I've been doing some research and it seems my best option to go with an Android-Client/PHP-Server application is by using JsonRPC. My question is, How would an authentication mechanism work?
I'd use Zend for json server and Android-json-rpc as client. Or is there a better way to do a remote authentication?
If you want to do a simple API key then in every JSON call, the client would pass the auth key and in each method on the php side would get the key and authenticate it.
If you wanted to do session type authentication, you would have to first call an authenticate method that would return the session_id to the client. The client would then send the session key in every subsequent method. Within the methods, the server could then check the session key.
I have looked for a way to cleanly abstract authentication out of the actual json RPC methods, but if you use Zend_Json_Server directly, there is no way to do it. You may be able to extend it, but to me, it wasn't worth the hassle.
just like browser works . Browser also sends session id in every request using cookies . You can build the similar functionality with your java REST client by appending that id to every request .Then in php code you can do
session_id($_GET('session_id'));
session_start();
your rest client will send this session_id in every request to be identified. This way you can use php sessions just like with browsers.
Related
I want to make an android app which will login to my web application using rest API. In browsers we have a concept of cookie which servers use to identify/maintain session with the users.
In Android how would we accomplish it ? I heard that there is a concept of token which is sent by server in response(first time when credentials are validated) and Android app have to send it to server every time it tries to access a resource(protected). So, what is the better way of doing it ?
Do we need to validate the token again and again when the client requests for a resource ?
Honestly, I can't think of a better way of doing this. Token based authentication seems to be pretty standard when dealing with RESTful APIs. Is there any reason you can't do that?
If you don't want to change the server code, then this could be simulated by adding a cookie header to every request you send. But this is basically the same thing that you mentioned above, just not as clean.
And the browser is already sending a token to be validated again and again. Every request has a cookie header that gets validated through your web application on every request, so this isn't a big deal at all.
And, you don't need anything Android specific to accomplish this. In whatever http library you're using I'm sure there is a method you can called or something you can override in order to set custom headers. Use that to set either your cookie header or token header on every request that you need to make.
How can I safely pass a user's email and password from an Android app over to my web server's REST API for authentication?
Would it be safe to create a POST request to a route, like:
http://www.website.com/user/login
Are there other ways to do it? Safer ways? What safety concerns should I know about?
Sending the password should only be a "login action". Obviously, this login call must be done via https in order to be safer.
The problem is that a mechanism based on a password attached to every request is not safe enough.
The two main methods
Via cookies: You interchange a cookie between client and server. You obviously have to handle the authentiacion in server to validate the request. Classic way.
Via tokens (OAuth2 way): You interchange a refresh token (long duration, maybe days, months... it's customizable) and an authentication token (temporary and refreshed with the refresh token). You have also to handle this on server (to set scopes and times,validation etc.).
I'm always thinking in a password for an user/session. Don't store "masters passwords" for services in your APK!! Never!! APK has no secrets, they can be easily decompiled.
I hope this would help you ;)
I am using asp.net web service with Android application for select and insert the data from MS-SQL Server.
I just want to web service only access by my Android application.
Because, web service is hosted on my private server and data is very secure. I am not want anyone can call my web service.
Any solution?
Make request in the POST request and use extra field to check for sender's. In this field you could use any secret key !
In your request, just put a SHA-1 key (e.g SHA1(Hard_coded_password_in_app_and_WS, unique_ID_stored_in_preference_and_in_data__base))
In your WS, just check if this parameter is ok, and then answer. It's not the best security ever, but it's quite easy to set up, and it will do the trick.
there are a few ways to do this (in my opinion):
if your app has user account involved, you can simply use user session to authenticate or the social logins eg. facebook
post request, with a header of a hashed key,
good read: https://weblogs.java.net/blog/gmurray71/archive/2006/08/restricting_acc.html
I want to make a login application in Android.
Requirement of the project is to store user name and password for two days using cookie.
Is it possible to use cookies? If yes, then how? Can you give me the code?
Note: I can't use web view.
As a commenter already said, you aren't supposed to store password (even in encrypted form) in a cookie. What you can store is a session id. When user logs in the application, the application generates a session id for him/her, which will stay valid for two days. In every request that you make to the application, you add the session id as an HTTP header.
You can store the session id and the datetime it was issued in the preferences. When the user needs to make a new request to the application and the session hasn't expired, you can read the stored value.
If you are not looking to integrate this into the browser, then have a go at this.
If you look at the HTTP protocol, you can see that cookies are sent by the client in plain text in the request. This means you should have your application deliver them every time your request a page. This is not valid for local-only cookies, but I don't think that you're interested in these. If you want to set cookies from the server side, you will have to adapt your application to parse the response and look for cookies. (also HTTP protocol)
For a better view of the raw data you need to send or receive, you can monitor your traffic using Wireshark or a similar tool and see how the request/response look like.
I am currently working on a web-service that I need to implement on iPhone and this is my first idea of doing it. I haven't got to implement this yet (my web service is still not done) so there's not much more I can tell you at the moment.
Edit:
A useful page about this might be the Wikipedia HTTP Cookie page located here.
As Reno said, try to avoid storing the password in the cookie. Instead you should let the server generate a sessionID when logged in and let this ID expire on the Server after two days. SO you can login with the username and the sessionID you generated with logging in once.
I you want, you can store that sessionID in the cookie.
I'm trying to get json data from a django view (login required)
into a new android app I'm working on.
I would like to authenticate the user against the django login
and keep the cookie/session for all the django view calls to
get data from the server.
I did some googling but nothing helped me,
even if I guess it should be a quite common task.
Maybe I'm facing the problem from a wrong point of view..
So I'll switch the question to:
how can I do some user authenticated json request/response to a django server?
Any clue?
You have to do as the website expects, and you need to persist the session cookie.
What I did is using XML-RPC to do all the transfers.
Not exactly sure if it's the best way, considering django's xml-rpc support is some kind of a hack.
Here's a very detailed XML-RPC handler for django:
https://code.djangoproject.com/wiki/XML-RPC
then, setup ur client end on android.
When communication is okay. Start writing server end API.
from django.contrib.auth import authenticate
and use this function to do authentication.
Then for sessionId stuff, you need to go to backend db to manually do them: https://docs.djangoproject.com/en/dev/topics/http/sessions/
as u can see, this is why I don't think it's the best way. You can't send httprequest, hence most django build-in functions doesn't work.