I'm not sure if sessions is exactly what I need help with but I need to design an app that lets you log in and update information about your account. I know how to connect to the database but how do I keep a session going so that someone couldnt hack in and change other people's information in the database? If anyone knows a tutorial that will help me with this please let me know. Ive searched and havent found anything. Maybe I'am searching for the wrong information. Basically I just need a way to securely let someone log in and modify their own information via their android. Thanks!
-
Welcome to B4X forum!
B4X is a set of simple and powerful cross platform RAD tools:
- B4A (free) - Android development
- B4J (free) - Desktop and Server development
- B4i - iOS development
- B4R (free) - Arduino, ESP8266 and ESP32 development
Sessions
- Thread starter joesmithjunior
- Start date
- Similar Threads Similar Threads
The database is on a remote server. My concern is if I just verify the username and password and then let their program change fields what would stop someone from making their own program that can connect to the database with their username and password and change someone else's fields or access their information.
Upvote
0
Solutions to securing a connection to a remote server range from non-existent to very complex.
How complex your solution is depend much on how much time you have to spend on the solution.
Does your B4A application interact with the remote server database using PHP scripts or do you use a .NET technology such as ASP?
I have no experience of .NET but can point you in the right direction if you are using PHP.
First check out the documentation for PHP Sessions: PHP: Sessions - Manual.
Once your server has successfully authenticated the user - username and password accepted - you'd start a new session.
Each session has a unique id so after starting a new session you need to pass that unique id back to your application.
Now each time your application sends a request to the server it must include that unique session id in the request.
(Depending on how you are connecting to the server that session id may automatically be sent with each request - if you are using a WebView i think the WebView automatically does this).
The PHP script checks the session id and if it is not the current session id then the script will not process the request.
Look at the example code posted here:
B4X:
<?php
// Starting the session
session_start();
if(isset($_SESSION['user']))
{
// Code for Logged members
// Identifying the user
$user = $_SESSION['user'];
// Information for the user.
}
else
{
// Code to show Guests
}
?>
Code for Logging a User:
<?php
//Username Stored for logging
define("USER", "user");
// Password Stored
define("PASS", "123456");
// Normal user section - Not logged ------
if(isset($_REQUEST['username']) && isset($_REQUEST['password']))
{
// Section for logging process -----------
$user = trim($_REQUEST['username']);
$pass = trim($_REQUEST['password']);
if($user == USER && $pass == PASS)
{
// Successful login ------------------
// Setting Session
$_SESSION['user'] = USER;
// Redirecting to the logged page.
header("Location: index.php");
}
else
{
// Wrong username or Password. Show error here.
}
}
?>You should be able to modifiy that i think.
Sessions automatically timeout after a period, that period depends upon the PHP configuration of your server.
If you have write access to your php.ini file then you can can can change the default timeout period.
I think the default timeout period is 1440 seconds, but it may be that your webhost has changed this default period.
Anyway once your application has finished communicating with the server it is best for the app to send a request to indicate that the app has finished with the current session.
The server can then destroy the current session rather than leaving it to be destroyed after the timeout period set in the php.ini file.
Martin.
Upvote
0
So once the session is created I can limit them to only have access to the fields that are tied to their username?
Upvote
0
Ah now i better understand your original question!
Assuming that you have a server side script to authenticate the username/password, that script should only allow access to that (authenticated) user's database fields.
You should not create a script that allows a user to login and access other users' database fields.
Whether you use sessions or not it's very bad design practice to have a script which authenticates a user and once authenticated allows access to other user's data.
How you limit access to the database once a user is authenticated depends much on the database structure and how each user's data is stored.
If you update the script so that it restricts access to the authenticated user's database fields only then you may decide that you no longer require sessions.
Martin.
Upvote
0
Are there any tutorials on this? I've been working with the connecting to mysql tutorial and understand how that works but I dont know PHP and dont understand how to make the php script limit their access to only that user's fields. If not I'd be willing to pay someone to write a PHP script for me for this purpose. The php script in the mysql tutorial doesnt appear to handle authentication. The mysql tutorial doesnt show how to add or change fields either I dont believe.
Upvote
0
The website they're accessing is a joomla website but I dont want to just load the web page on the android. I want to pull the information and be able to store the users info that they requested in variables so I can display the information however I want on the app. Is there a better way to approach this than what I'am trying to do? With the HTTP library communicate directly with the joomla site instead of creating a new PHP script?
Upvote
0
So you're creating an Android client for a Joomla website.
I doubt very much that the Joomla website will allow your client to access anything that doesn't belong to the authenticated user - so that more or less answers the original question.
I don't know a lot about Joomla so had a search for a joomla android client and found joooid.
Unfortunately that is a complete Android application and not an API that you could build your own custom client with.
But read the info and you'll see that to use joooid the Joomla website needs to have installed a plugin to enable it to work with joooid.
Maybe you could install that plugin and try to write your own client to use that plugin?
(I'm assuming you have access to the joomla website configuration?)
I had another search this time for joomla android api, this is more precisely what you need - but only if you have access to the joomla website configuration.
Joomla webservices / RESTFul like API released looks like it may be useful to you?
Anyway - have a Google for stuff related to joomla, android and available APIs and see what you can find.
Martin.
I doubt very much that the Joomla website will allow your client to access anything that doesn't belong to the authenticated user - so that more or less answers the original question.
I don't know a lot about Joomla so had a search for a joomla android client and found joooid.
Unfortunately that is a complete Android application and not an API that you could build your own custom client with.
But read the info and you'll see that to use joooid the Joomla website needs to have installed a plugin to enable it to work with joooid.
Maybe you could install that plugin and try to write your own client to use that plugin?
(I'm assuming you have access to the joomla website configuration?)
I had another search this time for joomla android api, this is more precisely what you need - but only if you have access to the joomla website configuration.
Joomla webservices / RESTFul like API released looks like it may be useful to you?
Anyway - have a Google for stuff related to joomla, android and available APIs and see what you can find.
Martin.
Upvote
0