0
I’m developing an application where the user can login by providing his email and password. After that, I make a request to my server PHP
which checks in the database if the data exist and are correct (if yes, returns a status = true
and some more data, if not, returns status = false
).
Turns out I want the user not to have to log in every time they open the app, though, what’s the best way to do that?
I know I shouldn’t save the email and password through Ionic Storage (I use only for nonconfidential data, such as: name, surname, photo, etc.). I took a look at the Secure Storage (to store the sensitive data, only), however, it needs the user to have a certain level of security on their device (password on the lock screen) to work, and this is impossible for my app. (not everyone uses passwords on the lock screen)
From my research, I saw that most of the recommendations would be, when logging in, the server PHP
generate an access token, store it in the database (attaching the token to the user), return it to the app and save it in the Ionic Storage
, and then, every time the app is opened, send this token through the request and check in the database if it exists and is valid.
On that front, I thought the following:
Save the user id (I’ll use it in almost every action in my app) and the token on Ionic Storage
, then, at the time the authentication is done, check if the token exists for the given id, as this rules out the possibility of some malicious user accessing the app’s storage, simply change the id and pass the user corresponding to the given id, because besides id, it would have to get the token generated for that user.
Is this a safe way to authenticate? If not, how to do?