lse123 — 2014-03-24T07:54:44-04:00 — #1
In Ajax/PHP/MySQL/MyUserAccountSecureArea/SESSION communication...
is it like web site <> server the
Hybrid(like PhoneGap) App <> server???
needed send in every request to server user password, in the latter case?
https:// php ajax urls required?
vgarcia — 2014-09-08T21:05:06-04:00 — #2
You should only send the username and password once to log in. Upon successful login your server should send down some kind of access token/cookie, and you pass that in as a header in subsequent authenticated requests. I also highly recommend you don't write your own custom authentication layer and use something open/known/off the shelf like OAuth.
And yes I would recommend using HTTPS when transmitting anything remotely sensitive nowadays like login info or private user data.
mrgee — 2014-09-09T03:46:53-04:00 — #3
I will have to agree with @vgarcia here.
Don't reinvent the wheel. There are dozens of off-the-shelf solutions that help you do the login process under the hood and have already implemented security measures.
But if you think you definitely need to build your own login system, send the username and a encrypted version of the password (using one-way encription like md5+salt, which should be kept super-secret; you may even retrieve it from the server dynamically regularly). After your server sends a successful response assume the user is logged in and only do periodical checks/calls to the server to make sure you haven't deleted or deactivated the user remotely (e.g. before every important operation, such as account modifications on the device or adding/deleting transactions if you do a financial app).