What is the best way to write an android application that logs into a server? I am thinking I do not want to maintain a socket, so I think I want to avoid that, I think I want to use the http protocol. My question with that is, on the server side, ideally I would like to use PHP to handle the GET/POST calls from the android app, but I don't know how to return (using PHP) information that my app can handle and not just an html file.
So for example, the facebook app for android. When you first download the app, you login and then the app maintains your connection, but obviously the app is not another web browser, but a regular app that presents its information as if it were a web site. How does the app pass the session cookie so that the PHP $_SESSION variables maintain themselves? How does the android app handle the data that comes back?
If I send a get requestion to htt://www.test.php can the PHP code that executes on the server return a custom set of data? Will the $_SESSION variables be automatically maintainted?
Thank you
You can send a get/post request to log on the server. The PHP page can return JSON or XML. Then your Java (Android) code will have to parse that response.
You can have the PHP page log first, and then start a session. Maybe generate a token key and store this in the database, and then return this to the android app. Android app will get this token (after parsing), and probably save it in a preferences file. This approach is basically a custom session. You will have to figure out things like expiration of token, etc.
There might be a way to store PHP sessions, but not sure how an app behaves differently from a browser. I think sessions can be little bit more complicated with apps.
More discussion here: php session destroyed in android application
You just need to create Server Side API which receives and sends data back to Client. Server start session, when API is requested, and Client receives PHPSESSID which is used to keep session opened. On Client, you use cookie for sessions.
Read about sessions: PHP Sessions (simple) and Session Handling (comprehensive)
Related
I want use POST to Transfer data between PHP server and Android client, how to improve security? For example, how can you ensure that believable and successful access to the server API can only be my Android client?
because of app have Login mechanism, so I think I should add the account verification code in every post(It consists of user password and so on, may be encrypted by MD5), Then every POST have clear sources, if the source is invalid(don't have verification code or it's wrong), Server denial of service. Is this feasible?
I would recommend setting up a RESTful web service first of all. This would allow you to filter requests coming from the Android client by their method, for example only handing POST for certain end points.
If you knew that only an Android client would be accessing your server you could also enforce that a "client" or "auth" token (simply a JSON property) must be sent with every request and you would then only supply this token to the Android client implementation and refuse any attempt to access your server which didn't include the token.
It's also important not to access superglobals such as $_POST in PHP directly, instead use filter_input().
This is just a suggestion and there is much more you can do.
I designed an application for android (I used android studio), which actually has an embedded web site, which was made by me in php.
The first screen of the application is a login. I would like to know how I can do to make the system to remember the user name and password, as happens in most of the android applications.
You'll probably gonna need a CookieManager and CookieSyncManager to maintain sessions when making calls in your WebView.
check out the API reference here: http://developer.android.com/reference/android/webkit/CookieSyncManager.html
I think you cannot run a .PHP page on a WebView on android. PHP is server-side so it needs to have a server to interpretate and process .PHP files.
If your goal is to have your android app built with HTTP pages, I suggest you Phonegap / Cordova. Take a look. There are many examples which uses Cache/Built-in storage to store variables.
I'm a PHP programmer by profession. So, I don't have any idea about iOS and Android coding.
The scenario is there is one website developed using a Social Networking PHP software titled "PHPFox".
Now there are two similar mobile apps which exactly replicates the functionality of this website. One mobile app is in iOS and another is in Android.
So, I've written a set of RESTful APIs where I'm accepting the request from mobile app, parse the request, pass the request parameters to the function which does the same job for website, get the response from this function, convert it into JSON format and sent it back to mobile app. For iOS and Android app I'm using the same set of REST API files.
When user logs in, the REST API for login gets called. Eventually the PHPFox function for authentication gets called, a security token is generated along with some other user data. With every login the different security token is generated by PHPFox. This data is set into the session. Now every time I call any of the functions through any REST API file the security token generated at the time of login is verified and only upon successful verification of token the PHPFox function gets called. This verification process is done internally by PHPFox. So no need to pass the security token explicitly or implicitly to any REST API call.
Till now everything works absolutely fine.
My doubt starts from here. I don't know whether the session is maintained in iOS/Android app. So, if session on server i.e. PHPFox gets timed out then what will happen to the app? Will it crash? Will the user have to login again? If user kills the app on the device and again comes to the app, does he/she have to do the login process again?
There are too many doubts in my mind. I get totally confused with these things.
Can someone please put more focus on the issue I'm facing? It would be really great if you could explain in detail.
Thanks.
REST is sessionless for its nature. You need to generate a token when user logged in. You must save this token on your mobile client.
For every request, you need to attach a valid token in request header and check it at server side.
If token expires, the token stored on a client is not valid. So, you need to login again because of 401 response. If token it's not correct you need to responde 400.
I hope that I'm helpful for you.
Unlike web browsers, iOS and android apps cannot maintain sessions. Usually, once a user has logged in (login credentials verified from server), its login credentials are saved on client side. Then the app gets data from server using session less REST api calls. This is how mostly it is done in mobile applications.
However, if you want the server session and mobile app go hand in hand (which i don't think is a good idea), the way is
1) When the user logs in, a security token is generated on the server side and saved on both server and client side.
2) The mobile app will be able to communicate with the server as long as the security token is valid.
3) When the session expires, the security token becomes invalid. Now there must be an understanding between server and client about the response when the session is expired. Now the mobile app must redirect the user to login page again. The user will login again and then communicate with the server. This should happen every time the session is expired.
If your are using Oauth 2 for athentication, here is the common setup:
User logs in on mobile app
If the credentials are ok, the server returns the access token, a refresh token and the token's lifetime
The mobile app stores those values + current timestamp
On the server's side, a garbage collector is configured to clear expired tokens
Before making any api call, the mobile app checks if the token is about to expire (with the help of the stored values). If the token is about to expire, the app sends the refresh token which instructs the server to generate a new access token
If you want users to stay connected, the app can be configured to check the access token periodically and request a new one if it's stale
Hope this helps.
Cheers
Your server should be completely stateless, and so no session should be stored.. a REST API is effectively just a data abstraction layer with optional security (through token)
So you API expose an authentication service, which will respond with an Authorization token to be used on subsequent requests as a header, this token should be a 1to1 relation with each user, and Universally Unique. It should also have an expire time, at which point your server responds with appropriate error response requesting your app to refresh the token, which can be done either via a separate refresh token system, or requesting that the user logs in again to refresh the token.
It is the APP which should maintain the state, not the server. The server is merely there for data purposes, and so should not rely on any kind of session based authentication.
A session is "something" that lives on the server. It can be an object storing details about the user (for instance session id, username, email address...) or any other data that will be required to process future requests (such as shopping cart details, delivery address...).
That "something" is typically an object, which can be stored in memory, in a database or even serialized and saved to the file system (I believe this is the default in PHP).
So when you say "I don't know whether the session is maintained in iOS/Android app", I'm afraid that doesn't make sense. Only the server can maintain sessions.
Typically, the only thing that the client would know (web browser or mobile app) is the session id (in the form of a token or GUID). That is the only thing the client/app needs to remember and it needs to be sent alongside any request to the server.
It could be stored as a cookie and/or sent to the server as a request header.
Then the server will read the session id/token from the cookies or header and will retrieve the session details from the place where it stores sessions (file system, memory or database). That is what happens behind the scene when you call session_start().
To read more about session handling and how to create custom session handler (which might be required in your case to get a token from the request headers):
http://php.net/manual/en/function.session-start.php
You should not worry about the session from the mobile development side.in Android we use SharedPrefrence and NSUserDefaults (Flag which maintains the session locally).
I dont have any experience working with PHPFox but this is how a mobile frontend should ideally handle the issues:
Case 1: Mobile app actively talking to server:
Session timeout stamp keeps bumping up and session stays alive.
Case 2: Mobile app active without any server communication (e.g. incoming phone call, moving between apps etc.):
Server session may or may not timeout.
If it times out, next query to server will fail auth and return an error.
App consumes this error and gracefully redirects to login screen with a message toast urging the user to login.
(This happens in my banking app)
Case 3: User kills the app on device and relaunches it:
The app should store the token either in sqllite or shared preferences. (Always logged in apps take this approach)
Upon relaunch, app can query the server with the presistent token.
If session is alive, communication goes through and user can
continue. If not, user goes to login screen as in Case 2.
Now I have a web server written with php. And there some php script files for database accessing. I'm writing a Qt app to send get/post request to the remote php scripts. However, it's not convenient to verify user identity for each request. So, I want to use session control on the web server. But I don't know how to do in Qt application.
As Orangepill and PLB said, the solution is Passing cookies to the request url, you may refer to QNetworkAccessManager::setCookieJar.
Steps
Instantiate the QNetworkAccessManager object and call setCookieJar for it.
Send POST request to the authenticate page which activates a session. Then you will have cookies got from the page in the cookieJar.
Send requests to the pages under the domain will with the session alive.
I'm starting a new application that will have a server side PHP and client in Android another (at the moment, and then also probably iphone). The application will only be used from mobile customer applications ie not to be used by web. My question is what would be the best way to login to this mode of operation?
thank you very much
It sounds to me as if the server side will be some sort of API that opens up access to a users data. The easiest method would be sending along a stored username and password with each request. This would only work if the connection your using is secure (https) which brings in the hassle of obtaining an ssl certificate.
Another option would be using OAuth, though your use case seems a little bit different than the standard OAuth use-case. OAuth is a protocol that uses a token based system to establish a users permission to access certain data from an application by another application. In your case you would be in control of both the first and the second application (hence my remark on being different than the standard use-case) Read here for more info.
I think it will be more easier if you use a webservice to make this connection between android and php server
this Presentation may help you ..
you are gonna deal with SOAP and xml or JSON to send data from android to php server.
and this a Video that shows how to deal with REST android Apps.
hope that help.
I think building an API on the server-side would be the best approach. For example a simple REST endpoint might be the way to go.
You can also host the API over HTTPS so that the communications channel is secure.
you need to create PHP web service for that. and while accessing you can pass security key like IMEI of phone for log. I think it can be secured mode for login from Android Phone.
Best practice these days is to set up a simple JSON web service, and use the built in Android HTTP & JSON libraries to interact with this service.
Create a login page in android, take the values from the fields send those values to server using httppost there store in your database and send response from the server
i think you first make a login form on Php server and send it the login and password as soon as user types and php returns the JSON object then read it if login is accepted by server login to application.
another way is when user don't have the net access make some Content providers on android and store the user pass there and match from there locally.