Is there a session variable in Json [web service]?

2

Well, the mini world of my project is as follows:

  

I'm creating an application, where I will consume a database using the json method, where I validate the logged in user, but when asked to add some other information in the database, how will I identify which user X is adding and not user Y? The method I thought is to write a session variable, so I will always know that user X of cell x is adding content.

Is there any solution to this question? I need a north to study more about this. Thank you for collaborating with something.

User view:

  

Suppose I am the user of the application: I need to log in to access my information, after this I have the possibility to register a new student, to make a call to this student, and to be able to report how the class was.

Developer view:

  

I need to record user logged-in data where I can identify what information I need to change, as there may be multiple users logged in and each user joining a school for example. When the user registers the student, it is necessary to identify which user is doing this, could use it through sharedPreferences but my program would be available for any type of hacker.

It would not be necessary for me, to use login through facebook, outlook, gmail among others, since not all the people that have these logins, in addition to that, I need to register the "teacher" previously because I will only release people access registered in my systems.

    
asked by anonymous 04.08.2015 / 16:29

1 answer

4

Just to clarify the nomenclature: JSON is not a method, it is simply a way to represent objects as a string. This form is used to transmit the data sent and received by the web services you write to interact with the bank.

When you validate the user, you can send the user id in the database along with the JSON response. Save this id in your Android application, for example in Shared Preferences.

When your application is to perform an operation on the bank (via a web service call, never directly to the bank), you must pass the user id as a parameter to the web service, so it will know that the operation is being performed by the user with this id.

Calls to Web Services are simple HTTP requests. An HTTP request (and its response) has a body and a header. The most common ways to request (these so-called "methods") are HTTP GET and HTTP POST. In the case of HTTP GET the parameters go along with the request URL. In the case of HTTP POST they go in the request body, separated from the URL.

Depending on the library you are using to call web services this body thing and header can be abstracted to the developer, but anyway it is good to understand these things.

That's one way to do it. It does not require any session variables; at most, you save an authentication token that is returned by the user validation web service and can be included in subsequent calls, so you do not have to be validating the user again with each request.

There are other ways, including generating the authentication token so that the user id is encrypted, and server-side encrypting to retrieve this id. In this case it is not necessary to send the id to each request, since it is already included in the token. It will depend on how you are implementing user authentication.

EDIT: Your concern for some hacker accessing your Shared Preferences is what should make you not reinvent the wheel and use a solution like OAuth2. Keep in mind that for someone other than the application itself to access this data the device must be rootado , ie be in the possession of the hacker and have access root unlocked. It is not a common situation. There are other scenarios to worry about and a solution like OAuth2 aims to avoid them without the developer having to master this complex area and writing code from scratch.

    
04.08.2015 / 16:53