Please help me understand the basic of app with authentification

7 posts, 0 answers
  1. Markus
    Markus avatar
    205 posts
    Member since:
    Nov 2005

    Posted 10 Oct 2013 Link to this post

    Good day 

    Comming from web design where everything is on the server I would appreciate it very much if someone could outline the basic concept on how to do it in app design. No code needed just how 

    it should basicly work.

    Here is what I have

    SQL DB

    table_database
    database_Id: 1
    database_name: test 1
    database_Id: 2
    database_name: test 2

    ----------------------------------

    table_users
    user_ID: 1
    database_ID :1 <- matching the user to table_database
    user_name: JohnDoe
    user_password_hashed: 8939xlsljsdf93

    user_ID: 2
    database_ID :1 <- matching the user to table_database
    user_name: JaneDoe
    user_password_hashed: 99skdhask

    user_ID: 3
    database_ID :2 <- matching the user to table_database
    user_name: JohnSmith
    user_password_hashed: 8sonjsadfi98

    ----------------------------------

    table_content
    content_ID: 1
    database_ID: 1 <- matching the content to the table_database

    content_ID: 2
    database_ID: 2 <- matching the content to the table_database

    content_ID: 3
    database_ID: 1 <- matching the content to the table_database

    ----------------------------------

    Now in a web solution, after the user enters his username and password I hash the password, compare it to the value in the DB and if OK save the database_ID as session and simply show the user all entries from table_content with the corresonding database_ID.


    Here come some simple/stupid questions.

    I can get my Json over https:// but still what would make more sense, security wise

    Option A

    1) the user enters username and password on phone app (he will have to do this every time -> not saving anything or autologin)
    2) I hash the password and make my Json request with username and hashed password

    Option B

    1) the user enters username and password on phone app (he will have to do this every time -> not saving anything or autologin)
    2) Make my Json request with username and password and hash it on the server 


    Am I right that Option A is the correct way?

    ----------------------------------

    The question is now. Who do I get the table_content entires corresponding to the database_ID security wise?

    Well the Json is available on the web so I need to make sure that a phone app user can only get the table_content entries corresonding to the database_ID from him in table_user.

    Kind of hard to explain but pretty simple - just whats the concept of this getting done.

    The app is a spin of from a site that can be accessed through the browser.

    Markus

  2. Markus
    Markus avatar
    205 posts
    Member since:
    Nov 2005

    Posted 15 Oct 2013 Link to this post

    Anyone willing to shed some light on this for me?

    Markus
  3. Steve
    Admin
    Steve avatar
    10941 posts

    Posted 17 Oct 2013 Link to this post

    Hello Markus,

    You can secure the server side using the authentication technology of your choice and then make ajax calls to the rest service passing along the credentials. The following two posts by Raymond are pretty descriptive and should give you the basic idea:

    Regards,
    Steve
    Telerik
    You've missed the Icenium Visual Studio Integration keynote? It has been recorded and posted here.
    Looking for tips & tricks directly from the Icenium team? Check out our blog!
    Share feedback and vote for features on our Feedback Portal.
  4. Markus
    Markus avatar
    205 posts
    Member since:
    Nov 2005

    Posted 18 Oct 2013 Link to this post

    Dear Steve

    Thanks' for taking the time to link me. However my problem is less the authentification but how to make sure once the user is logged in he can only acces his data

    able_content
    content_ID: 1
    database_ID: 1 <- matching the content to the table_database

    content_ID: 2
    database_ID: 2 <- matching the content to the table_database

    content_ID: 3
    database_ID: 1 <- matching the content to the table_database

    Again on web development I save the database_id associated to the user in a session cookie. I then use this session cookie to retrieve the data.

    Now on mobile development when I make a new  call to fetch data I need of cource to pass this DatabaseID. Now of course anyone could then simply try to pass database ID trough the web (recompile the apk and you know the url of json)

    So the question is should I simply do the login procedure every time going for the data. meaning to extend my json to not only fetch the data but every time get and check the databaseID?

    Hope you can understand what I try to explain.

    Markus
  5. Steve
    Admin
    Steve avatar
    10941 posts

    Posted 21 Oct 2013 Link to this post

    Hello Markus,

    I do not quite understand your security concern, as anyone can get your service url and pass a database_id to it from your website as well. One should have a valid content_ID in order to proceed and you generate this based on the login and secure it on the server side. If you wish you can use a cookie to retrieve data in the Icenium app as well. Basically a hybrid app based on Cordova is pretty much a web app, so no big differences there.

    Regards,
    Steve
    Telerik
    You've missed the Icenium Visual Studio Integration keynote? It has been recorded and posted here.
    Looking for tips & tricks directly from the Icenium team? Check out our blog!
    Share feedback and vote for features on our Feedback Portal.
  6. Markus
    Markus avatar
    205 posts
    Member since:
    Nov 2005

    Posted 21 Oct 2013 Link to this post

    Dear Steve

    When I am web developing I am not using a service of course :-) That's the big difference.

    I guess it's hard to explain or I might have realy no clue at all.

    WebDevelopment

    I can get all entries from table_content after authenticating the user on the Server saving a cookie with his database_ID ON THE SERVER after he is authenticated.

    So no authentication no session cookie with his database_ID. 

    Then i can get the data from table_content based on that server cookie.

    --------------

    on mobile app I was under the impression that I would not have a cookie that can be set.

    If I can set a cookie in my phone app do you have a link to an example. 

    Markus
  7. Steve
    Admin
    Steve avatar
    10941 posts

    Posted 23 Oct 2013 Link to this post

    Hi Markus,

    I was with the impression you're trying to do an easy site to mobile migration. If you would be doing the mobile implementation from scratch, then instead of cookie, review and consider handling the authentication process via localStorage. It's a persistent key-value store e.g.

    localStorage.setItem("webServiceResponse", webServiceResponse);

    Regards,
    Steve
    Telerik
    You've missed the Icenium Visual Studio Integration keynote? It has been recorded and posted here.
    Looking for tips & tricks directly from the Icenium team? Check out our blog!
    Share feedback and vote for features on our Feedback Portal.
Back to Top