我有兴趣做的用户身份验证的移动应用程序的最佳途径。此刻的设立是相当简单的。我存储上的应用程序的用户名和密码，它每一个我需要运行一个受限制的查询时发送到API。

I'm interested in the best way to do user auth in a mobile app. At the moment the set up is quite simple. I'm storing the username and password on the app and sending it to the api each time I need to run a restricted query.

这我觉得可能是错误的方式去了解这一点。

This I feel is probably the wrong way to go about this.

请问有更好的方式是发送用户名和密码，当用户登录，然后存储用户的id？这样做的问题是，则API接受一个用户ID，而不是一个用户名和密码。用户ID将被更容易地猜的和恶意的人将能够提交REQ的API下他们的帐户随机选择的用户ID的执行操作。我有一个API密钥。难道这还不够安全？

Would a better way to be to send the username and password when the user logs in and then store that user's id? The problem with this is that then the api accepts a user id and not a username and password. A user id will be much easier to "guess" at and malicious persons would be able to submit a req to the api with randomly selected user id's performing actions under their account. I have an api key. Is this secure enough?

问题是，我要开始整合Twitter和Facebook的OAuth到应用程序。我没有很多机会了解它，但我觉得你得到一个令牌。如何将这项工作与建立，你在暗示什么？会有利于在我自己的用户数据库中创建一个令牌，使用令牌（无论是我的，Facebook的或叽叽喳喳的）作为授权？还是会意义，以保持每个业务独立，并处理它们分开？

The issue is that I want to start integrating twitter and facebook oauth into the app. I haven't read much about it, but I think you get a "token". How would this work with the set up that you're suggesting? Would there be benefit to creating a token in my own database of users and using the token (whether it be mine, facebook's or twitter's) as the authorisation? Or would it make sense to keep each service separate and deal with them separately?

感谢你。

推荐答案

正确的方法是在服务器上生成身份验证令牌当用户登录和登录回复发送该令牌。然后此标记被用在随后的请求。

The correct way would be to generate auth token on the server when user logs and send this token in login reply. Then this token is used in subsequent requests.

这意味着，服务器必须跟踪身份验证令牌它所产生的。您还可以跟踪令牌创建时间，使令牌在一段时间后过期。

This means that server must keep track of auth tokens it generates. You can also track token creation times and make tokens expire after some time.

令牌必须是一个足够长的随机字符串，使其不容易被猜到。如何做到这一点是以前回答：How以生成Java 的随机字母数字串

Token must be a sufficiently long random string, so that it can not be easily guessed. How to do this was answered before: How to generate a random alpha-numeric string in Java

我个人preFER的UUID的方法。

Personally I prefer the UUID approach.

更新：

这个问题已经解决了Web浏览器，通过cookie和会话。您可以重新使用这一机制在你的Andr​​oid要求（虽然有些REST纯粹主义者反驳这一做法）：

This problem was already solved in web browsers, via cookies and sessions. You can reuse this mechanism in your Android requests (though some REST purists disprove this approach):

启用服务器会话。

Enable sessions on server.

当用户登录到一台服务器的一些数据添加到会话，进行登录实例时间：

When user logs into a server add some data to session, for instance time of login:

request.getSession().setAttribute("timeOfLogin", System.currentTimeMillis());

由于会被激活，您还需要启用支持Cookies在HttpClient的请求：Using使用时，整个活动饼干的HttpClient

每次请求时，服务器应检查是否会包含 timeOfLogin 属性。否则，它应该返回HTTP 401答复。

Every time a request is made, server should check if session contains timeOfLogin attribute. Otherwise it should return HTTP 401 reply.

当用户注销时，呼叫服务器注销URL和清除客户端的cookie。

When user logs out, call server logout url and clear the cookies on client.