我想知道什么被流行的应用程序所使用的方法是。

I want to know what the method used by popular apps are.

下面是我所考虑的方法：

Here are the approaches I have considered:

当用户登录时，保存用户名和放大器;共享preferences和密码，再利用它每一次（我想这会吸）登录上与客户端（APP）侧Facebook的SDK，通过身份验证令牌应用和使用创建一个用户。传递令牌的应用程序，存储在此令牌电话，并用它在未来的通信。的我相信这会令感定期重新创建此令牌，但如何做到这一点不要求用户重新登录？的创建一个登录视图。的这将意味着通过用户名和密码的API 的然后与用户令牌去了。 When user logs in, save username & password in shared preferences and re-use it every time (I think this will suck) Login on the client(app) side with Facebook SDK, pass the authentication token to the app and use that to create a user. Pass a token to the app, store this token on the phone and use it in future communications. I think it would make sense to re-create this token periodically, but how to do so without asking the user to login again? Create a login view. this will mean passing username and password to the API And then go with the user token.

推荐答案

我不认为你应该存储在preferences用户凭据。

I don't think you should store user credentials in preferences.

最常见的方法是发送凭证服务器，然后作为响应获得会话密钥。然后包括会话密钥作为标题任何请求（在每一个请求验证的话）。

The most common approach is to send credentials to server and then as a response get a session key. Then include the session key as a header to any request (and validate it in every request).

如果会话密钥将变为无效（例如过期的），那么服务器应该返回一个适当的反应，并在客户端应该初始化认证功能。

If the session key would become invalid (e. g. expired) then the server should return a proper response, and the client should initialize authentication functionality.

Egzample

首先运行

显示登录活动 发送凭据到服务器获取 session_key可以作为响应（通常它的哈希）存放 session_key可以散用户通过验证后，退出登录活动 Show login Activity Send credentials to server Get a session_key as a response (normally its a hash) Store the session_key hash User is authenticated, exit the login Activity

的任何请求到服务器。

与 session_key可以添加一个标题给您的请求（例如一个标题）发送请求如果响应正常停止，否则（例如响应与消息未授权或状态code 401）运行首先运行 Add a header with session_key to your request (e. g. as a header) Send the request If the response is Ok Stop, else (e. g. response with message "not authorized" or status code 401) run First run