1

I am developing an Android application which will use a SQL server(database) to store the application's data. In addition, the application will use the ASP web API to send and receive XML or JSON between the client and the server.

I am currently confused about how to make the application do the authentication securely and how to keep the user logged in without the need to keep sending the user's credentials in the http requests.

Therefore, I need your recommendation about how to secure my application and to provide me with a tutorial links if possible.

Improve this question

2 Answers 2

Reset to default
1
  1. Login (Username, Password shored in BasicNameValuePair) from your Client (here Android) by access Web API controller (perhaps /Token if you use some samples from Asp.Net Web API website). If success, the access token will be responsed and you will save in your client (SharedPreference or database)
  2. Then, just need to send the access token (no need username, password anymore) to request other API controllers.

Of course, https should be used here for better security.

Sample codes for getting the access token (login phase):

public static Object getAccessToken(String address, String grant_type, String username, String password) throws Exception {
    List<NameValuePair> params = new ArrayList<>();
    params.add(new BasicNameValuePair("grant_type", grant_type));
    params.add(new BasicNameValuePair("username", username));
    params.add(new BasicNameValuePair("password", password));

    // Making HTTP request
    httpResponse = makeHTTPRequest(address, params);
    if (httpResponse != null) {
        statusCode = httpResponse.getStatusLine().getStatusCode();
        if (statusCode != HttpStatus.SC_OK && statusCode != HttpStatus.SC_BAD_REQUEST) {
            return httpResponse.getStatusLine().toString();
        }

        // Get JSON String (jsonString) from Input Stream (is)
        getJSONFromInputStream();
        if (jsonString.isEmpty()) {
            return null;
        }
        // Parse the JSON String to a JSON Object
        jObj = new JSONObject(jsonString);
    }
    // Return JSON Object
    return jObj;
}

Inside makeHTTPRequest, for request access token:

httpPost.setHeader("Content-Type", "application/x-www-form-urlencoded");
httpPost.setEntity(new UrlEncodedFormEntity(parameters));
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

So there's a specific login request type which returns a token under the WWW-Authorization flag to which I can pass user/pass and receive only the token in the Response? That makes sense, but how do we send the Token instead of user/pass? Does it require a specific parameter name and call or is it "Authorization" followed by the token?
@G_V since your previous comment relates to Volley syntax so I give you an example at pastebin.com/pTQu8JMs, please take a look
@G_V when working with web service / web api, I suggest you use Postman (for Chrome) also, at getpostman.com, for Firefox, you can use HttpRequester add-on
You're a lifesaver, I was looking for the "Bearer" flag and where to append the token! This is what I ended up with so far and I'm going to look into using Postman pastebin.com/Fu4DmfEX
@AliExalter yes, you need web service in your server, pls read learn.microsoft.com/en-us/aspnet/web-api/overview/security/… for more information
|
0

Your clients can access from multiple devices with same account ?
---- First case(can access from multiple devices) :
1. If username or id exists in internal just send them to server.
2. If not ask username and password from client then send it to the server (or just phone number)
3. Check user informations on database on server
4. If authentication success save userid or username into the internal storage 5. If fails , ask it again .
---- Second case(can't access from multiple devices) :
You need to send user device id to server to detect which devices your user logged in. If device id matches then authentication success , otherwise fails and ask user to log in again. But in this case you need to be careful because if user login , after login from another device , first user must be disconnected.Therefore you should send userid and device id for every request or server sends client a disconnect query.

Improve this answer

2 Comments

Thanks a lot for your recommended solution. I am interested to use the first recommendation since each users of the application can use multiple devices. Let me write more information about the first case. What I understand from the first case is that I will use the http protocol to send the username and password with each request. In addition, I will utilize the internal storage to save and extract the username and passwords in the next requests. However, how can I secure (encrypt) the usename and password while in transition on the internet? Thanks again, your help is much appreciated.
You can use Public-key cryptography for security.You don't need the store real password and username into the internal . Encrypt your password and username send it the server and see if they matches. Database has primary key for every users right ? Then username and password is not necessary for internal . Just encrypt userid and returns it to the client. In requests , decrypt the userid and see if they matches. But if you want to secure password and username before sending the server , hash them as MD5 or some other hashing function , then send it.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.