Is there a session variable in Json [web service]?

Asked

Viewed 244 times

2

Well, the mini world of my project is as follows::

I am creating an application, where I will consume a database by the json method, where I validate the logged-in user, however when I am asked to add some other information in the database itself, how will I identify that user X is adding and not user Y ? The method I thought is to record a session variable, so I will always know that the X user of cell phone x, is adding a content.

Is there any solution to this doubt ? I need a north to study more about this. I thank the one who collaborate with something.

User view:

Suppose I am the user of the application: I need to log in to access my information, after this I have the possibility to register a new student, make a call to this student, in addition to be able to make a report for how was the class.

Programmer’s view:

I need to record the login data made by the user where I can identify what information I need to change, because there may be several logged in users and each user is part of a school for example. When the user registers the student, it is necessary to identify which user is doing this, could use through sharedPreferences however my program would be veranevel for any type of hacker.

It would not be necessary for me to use login through facebook, outlook, gmail among others, because they are not all people who have these logins, besides, I need to register the "teacher" in advance because only free access people registered in my systems.

android json web-service sharedpreferences

1 answer

4


Just to clarify the nomenclature: JSON is not a method, it is simply a way to represent objects as a string. This form is used to transmit the data sent and received by the web services you write to interact with the database.

When you validate the user, you can send the user id in the database along with the response JSON. Store this id in your Android app, for example in Shared Preferences.

When your application is going to do a database operation (via a web service call, never directly in the database), you must pass the user id as a parameter to the web service, so it will know that the operation is being done by the user with this id.

Web Services calls are simple HTTP requests. An HTTP request (and its response) has both body and header. The most common ways of ordering (these yes called "methods") are HTTP GET and HTTP POST. In the case of HTTP GET the parameters go along with the request URL. In the case of HTTP POST they go in the body of the request, separate from the URL.

Depending on the library you’re using to call web services this body and header thing can be abstracted for the developer, but anyway it’s good to understand these things.

That’s one way to do it. It does not require any session variable; at most, you store an authentication token that is returned by the user’s web validation service and can be included in subsequent calls, so you do not need to validate the user again with each request.

There are other ways, including generating the authentication token so that the user’s id is encrypted on it, and decrypting from the server side to retrieve that id. In this case it is not necessary to send the id to each request, as it is already included in the token. It will depend on how you are implementing user authentication.

EDIT: Your concern for some hacker access your Shared Preferences is what should make you not reinvent the wheel and use a solution like Oauth2. Keep in mind that for someone other than the application itself access this data the device needs to be rooted, that is to be in possession of the hacker and have access root unlocked. This is no ordinary situation. There are other scenarios to worry about and a solution like Oauth2 proposes to avoid them without the developer needing to master this area, which is complex, and write code from scratch.

  • Do you have a website to tell me about this token ? Do I need to read more about this, and learn how to implement it ? If you know of any video classroom in production, I would be grateful.

  • This authentication thing is hairy, I don’t really understand it myself. The staff usually recommend not to re-invent the wheel in this case, instead give preference to something ready as Oauth2. If you detail your scenario better (what credentials are used, whether from Facebook, Google, or other case), preferably in another question here at SOPT, the staff can help more.

  • I’ve given my question one more time, see if you can understand, and if there’s anything to help me.

  • I supplemented the answer.

  • I found nothing referring to Oauth2 for the use I need, not interested in using facebook or something to authenticate, I need to be authenticated with my server. Could I help myself to find something that uses this specific ? Or would I have another solution (in Portuguese) to introduce myself ?

  • Oauth 2.0 is generic, unrelated to Facebook or Google (I cited these services because they offer their own Apis for authentication). And there’s a problem: I couldn’t find tutorials in Portuguese for Android, only in English.

Show 1 more comment

Browser other questions tagged android json web-service sharedpreferences

You are not signed in. Login or sign up in order to post.