The app is to be used for small businesses, so:
- An admin will create the user accounts via the web for each user in their company. Users are given their login details (so there is no need for registration within the app).
- App will behave differently depending on the company they are in, so will need to read custom fields from a database.
- Preferably, users will only need to login once. So some kind of authorization token is saved to phone?
- I don't really want the login system to use any third party login (Google, Facebook etc.).
Currently, what i've done is, send email / password (encrypted) from a login form on the app as a http request within a url query string. I've then got a php page that will use email / password as a sql statement to see if the user exists and returns any user data back to the app.
I believe this will work, but not sure that it is a secure way of doing it? If anyone knows of better ways it is really appreciated!
Ulf Dittmer wrote:Credentials should never be sent a spart of the query string, since those end up in lots of places where you don't want credential stored (browser histories, log files, web caches, etc.). You should make that a POST that goes over HTTPS.
Heh, yeah.. never thought about that.
Great, thanks.. will look into this.