Firstly, no OAuth or other things supported in the server-side, just a normal username-password database querying.
首先,服务器端不支持OAuth或其他东西,只需要正常的用户名 - 密码数据库查询。
I want to implement an android client for the web site. My questions are:
我想为网站实现一个Android客户端。我的问题是:
- How to login safely? with HTTPS?
- 如何安全登录?使用HTTPS?
- How to store user login information safely in the phone to make user login without any input in the next time.
- 如何在手机中安全地存储用户登录信息,以便用户在下次没有任何输入的情况下登录。
- If user do some actions after login, how to id himself? how to keep the session? By copy and resend some cookies like "jsessionid" ?
- 如果用户在登录后做了一些动作,如何识别自己?如何保持会话?通过复制并重新发送一些像“jsessionid”这样的cookie?
1 个解决方案
#1
0
- HTTPS is obviously the best choice as the username and password will be encrypted between the device and the server (i.e. if the user uses airport Wi-fi their credentials can't be "sniffed")
- HTTPS显然是最佳选择,因为用户名和密码将在设备和服务器之间加密(即,如果用户使用机场Wi-Fi,他们的凭证不能被“嗅探”)
- You can store the password on the device in
SharedPreferencesusingPreferenceManager.getDefaultSharedPreferences()and access it later within your code automatically. You can provide an option for the user to clear the password. On unrooted devices, no other application or device can access your app's private storage so the data is safe. On rooted devices it is accessible, but security is one of the downsides of rooting - 您可以使用PreferenceManager.getDefaultSharedPreferences()在SharedPreferences中将设备密码存储在设备中,并在以后的代码中自动访问。您可以为用户提供清除密码的选项。在无根设备上,没有其他应用程序或设备可以访问您应用的私有存储,因此数据是安全的。在root设备上可以访问它,但安全性是root权限的缺点之一
- It really depends on the server. Most websites with use a phpsessionid or jsessionid cookie. In that case see Android Http get Session Cookie and How do I make an http request using cookies on Android?
- 这真的取决于服务器。大多数使用phpsessionid或jsessionid cookie的网站。在这种情况下,请参阅Android Http获取Session Cookie以及如何在Android上使用Cookie发出http请求?
OAuth is of course preferred because this prevents the actual application from storing/having access to the server directly (instead, it's basically a long-term cookie)
OAuth当然是首选,因为这可以防止实际应用程序直接存储/访问服务器(相反,它基本上是一个长期的cookie)
#1
0
- HTTPS is obviously the best choice as the username and password will be encrypted between the device and the server (i.e. if the user uses airport Wi-fi their credentials can't be "sniffed")
- HTTPS显然是最佳选择,因为用户名和密码将在设备和服务器之间加密(即,如果用户使用机场Wi-Fi,他们的凭证不能被“嗅探”)
- You can store the password on the device in
SharedPreferencesusingPreferenceManager.getDefaultSharedPreferences()and access it later within your code automatically. You can provide an option for the user to clear the password. On unrooted devices, no other application or device can access your app's private storage so the data is safe. On rooted devices it is accessible, but security is one of the downsides of rooting - 您可以使用PreferenceManager.getDefaultSharedPreferences()在SharedPreferences中将设备密码存储在设备中,并在以后的代码中自动访问。您可以为用户提供清除密码的选项。在无根设备上,没有其他应用程序或设备可以访问您应用的私有存储,因此数据是安全的。在root设备上可以访问它,但安全性是root权限的缺点之一
- It really depends on the server. Most websites with use a phpsessionid or jsessionid cookie. In that case see Android Http get Session Cookie and How do I make an http request using cookies on Android?
- 这真的取决于服务器。大多数使用phpsessionid或jsessionid cookie的网站。在这种情况下,请参阅Android Http获取Session Cookie以及如何在Android上使用Cookie发出http请求?
OAuth is of course preferred because this prevents the actual application from storing/having access to the server directly (instead, it's basically a long-term cookie)
OAuth当然是首选,因为这可以防止实际应用程序直接存储/访问服务器(相反,它基本上是一个长期的cookie)