Android -> PHP session management

Question

I have an Android app that interacts with my server written in PHP. I have done several requests that will be called via POST from the android app and will be answerd in JSON format.

I have a login request, the android application will send the credential (password and username) to the server. If login in sucessful the session_ID will be send as an answer. For every other request that needs user authentification the session_ID will be required. If that session_ID is not set, I will asume that the user is not logged. Otherwise, if the session_ID exists I will answer the request with the requested data

I'm going to check the authentification with the following code.

if(!isset($_POST['session_ID']))
{

    $json[] = array(
        'return' => $errors_authentification,
        'error_msg' => "User not authenticated"
    );

    echo json_encode($json);
    return;
}

session_id($_POST['session_ID']);
session_start();

Do you think this a good approach? I've seen post talking about tokens instead of session_ID to deal with android - php interactions that need authentification, which is the difference?

Answer 1

@chsharper, @pasi

I don't think JWT on its own is secure enough. Yes, it is signed by the server and is guaranteed to be tamper free. However, if someone knows the JWT (if saved in a Local storage), the same JWT can be used multiple times within the Ttl period (a hacker might use the JWT and use to impersonate within the Ttl period). If we save the JWT in a cookie and send it back to server with every request using HTTPS , I know the scenario is a bit tight, but is it completely non repeatable? I would recommend using one time token with a JWT, so it prevents repetitive requests.

Do you think this is a good approach? Any ideas on this will be greatly appreciated.

Thank you,