3

I have an Android app that interacts with my server written in PHP. I have done several requests that will be called via POST from the android app and will be answerd in JSON format.

I have a login request, the android application will send the credential (password and username) to the server. If login in sucessful the session_ID will be send as an answer. For every other request that needs user authentification the session_ID will be required. If that session_ID is not set, I will asume that the user is not logged. Otherwise, if the session_ID exists I will answer the request with the requested data

I'm going to check the authentification with the following code. 

if(!isset($_POST['session_ID']))
{

    $json[] = array(
        'return' => $errors_authentification,
        'error_msg' => "User not authenticated"
    );

    echo json_encode($json);
    return;
}

session_id($_POST['session_ID']);
session_start();

Do you think this a good approach? I've seen post talking about tokens instead of session_ID to deal with android - php interactions that need authentification, which is the difference?

Improve this question
1

2 Answers 2

Reset to default
1

@chsharper, @pasi

I don't think JWT on its own is secure enough. Yes, it is signed by the server and is guaranteed to be tamper free. However, if someone knows the JWT (if saved in a Local storage), the same JWT can be used multiple times within the Ttl period (a hacker might use the JWT and use to impersonate within the Ttl period). If we save the JWT in a cookie and send it back to server with every request using HTTPS , I know the scenario is a bit tight, but is it completely non repeatable? I would recommend using one time token with a JWT, so it prevents repetitive requests.

Do you think this is a good approach? Any ideas on this will be greatly appreciated.

Thank you,

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

There's numerous approaches to solving user authentication after login, which of newest and hottest is JWT, JSON Web Tokens, which is a simple approach of storing session in the client side in a such manner that its secure to use from server end.

JWT ensures that user can't tamper the data it sends to the server, as they originate from the server(such as user id) and are signed by the server.

This way you don't have to perform any database queries or so in the server end to fetch the account id or related data, you just check whether or not the data sent by client is signed by you, after that you're good and can save some server CPU cycles.. However there's a small overhead included, sending the JWT requires some data exchange, but you can keep it as tiny as you need.

I for one like to 'cache' some data in the client side, as the token can also be used in client to use these ids.

To answer your question, your approach is simple, and requires little to no effort, also its as secure as cookies, as long as one can't grab the id in a MITM scenario, you're good.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.