1

I'm creating a simple android application, it requires some details to stored and retrieved from a web service coded in php. I have planned to create PHP script like www.mycoolservice.com/domagic.php Android App will request the script some details via HTTP POST and the script will send the data using json encoding.

My question is about authentication and security

Which is the best way to authenticate a user with the server,should i send the username and password with every HTTP POST(encrypted)?

Also if there are large number of users using the same script at a time,will there be some concurrency and efficiency issues?

I'm just a beginner to web services, please guide me.

Improve this question

2 Answers 2

Reset to default
1

To add on mach, who was faster than me:

I lately read this multi-part tutorial about a REST PHP Application:

Part 1 and Part 2 (The last one is not yet there)

I guess a nice way is to generate an API/Authentication-Key for every user. With the first authentication, you send it back and every communication will include the key.
You should use HTTP POST for any communication though.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Thanks Nice Tutorial.But is REST needed for simple authentication.It seems kind of complex
It is not needed. It's just to show you, how the authentication key could be used. You've got to try and bring that now into your PHP-Webservice.
What im following is this tutorial androidhive.info/2012/05/how-to-connect-android-with-php-mysql I want to add the ability to authenticate users ie:identify the user.Should i use REST with it,or is there some easy way around
Well, the tutorial shows you, how you can generate the JSON responses. If you want to use a authentication key you just add a function to generate one for every user. The key is then added to the response JSON. In the webapplication you use that key for the POSTS that require the authentication.
Like first the user logins by entering username and password(in android).So i should send it to the server(encrypted) right?And How does the key generation process work?
|
1

Often you have a authentication api that gives a time limited token as return value. Then you set this token in the header of other calls to the backend.

POST call to www.mycoolservice.com/authenticate.php with JSON

{
    "u": <user>,
    "p": <password
}

responds with

{
    "t": <token>
}

Calls to your www.mycoolservice.com/domagic.php with header "Token: "

Improve this answer

4 Comments

can you give an example of the authentication api?
So if an intruder gets hold of this token,can't the intruder send bogus requests.Is this token encrypted?
Well yes, but that is also true for the user/password combination. The token has the nice feature of being time restricted and revocable. If you are worried about getting skimmed on credentials use https and a real SSL certificate for the host.
Is this token encrypted or is it send in plain text?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.