Token usage in Android

First of all, token is a kind of thing, where is the meaning of token existence? People who have learned PHP or other web development know that a thing called a session and a cookie can store something on the server or locally, such as a login state, which can be stored locally for a period of time through a session or a cookie when the user logs in. During this time, users will not have to enter the user name and password again, but after a period of time, the user needs to authenticate again, so that, on the one hand, save a lot of steps to improve the operation experience, but also save a lot of server requests, improve the server performance, It also guarantees a certain degree of security.

So how does this feature be implemented in Android? Unfortunately, there is no such thing as a session or cookie directly on Android, which is done by token. Token existence is more like a token, for example, when we need to implement operations with user rights, each operation needs to send a request to the server, so that the server completes the database in the user name and password, which is obviously bad for the performance of the server. Of course, some people will say that we can after a successful request will be similar to user_id-like things in the local, every time after each request to operate with user_id, this does not reduce the burden on the server, but there is a problem, that is user_id once stored in the local time, It is not likely that it will be automatically recycled, which can lead to a problem where the app is validated by the state of the pass whenever it is opened, thus reducing security. And token is something that solves such a problem:

Token definition: Token is a string generated by the server to serve as a token for the client to make the request, and when the first login is made, a token is returned to the client, and the client only needs to bring this token to request the data. No need to bring the user name and password again.

Knowing the meaning of token, we are more specific about why we use him.

1. Use the device number/device MAC address as token (recommended)

Client: The client obtains the device's device number/MAC address when logging on, and passes it as a parameter to the server.

Server: After the server receives the parameter, it uses a variable to receive it as token in the database, and the token is set to the session, the client each request to be unified interception, The token passed by the client and the token in the server-side session are compared, and if the same is released, the difference is rejected.

Analysis: At this point the client and server are unified with a unique identity token, and each device has a unique session. The disadvantage of this method is that the client needs to take the device number/MAC address as a parameter, and the server side needs to be saved; The advantage is that the client does not need to log in again, as long as the login can be used after one time, as for the time-out problem is the server side to handle, how to handle? If the server's token expires, the server simply queries the token passed by the client to the database and assigns it to the variable token, so that the token's timeout is re-timed.

2. Use Session value as token

Client: The client only needs to carry the username and password to login.

Client: The client receives the user name and password and determines that if it is correct, it returns the local fetch SessionID as token to the client, and the client only needs to bring the requested data.

Analysis: The benefits of using this approach are convenient and do not store data, but the disadvantage is that when the session expires, the client must log back in to access the data.

Token usage in Android