Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Creating a Login System

 
Nick Patrick
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm trying to create a login system for an Android app, looking for the best way to do this. Very new to Android development so struggling a bit to get my head around this.


App Background:

The app is to be used for small businesses, so:

- An admin will create the user accounts via the web for each user in their company. Users are given their login details (so there is no need for registration within the app).

- App will behave differently depending on the company they are in, so will need to read custom fields from a database.

- Preferably, users will only need to login once. So some kind of authorization token is saved to phone?

- I don't really want the login system to use any third party login (Google, Facebook etc.).

---

Currently, what i've done is, send email / password (encrypted) from a login form on the app as a http request within a url query string. I've then got a php page that will use email / password as a sql statement to see if the user exists and returns any user data back to the app.

I believe this will work, but not sure that it is a secure way of doing it? If anyone knows of better ways it is really appreciated!


Thanks
Nick
 
Ulf Dittmer
Rancher
Posts: 42969
73
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Credentials should never be sent a spart of the query string, since those end up in lots of places where you don't want credential stored (browser histories, log files, web caches, etc.). You should make that a POST that goes over HTTPS.
 
Nick Patrick
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer wrote:Credentials should never be sent a spart of the query string, since those end up in lots of places where you don't want credential stored (browser histories, log files, web caches, etc.). You should make that a POST that goes over HTTPS.


Heh, yeah.. never thought about that.

Great, thanks.. will look into this.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic