Login into app and get session token from server for api requests

Question

There is a website with a lot of users. In order to use the private pages the user has to login with username and password.

Now I'm working on a android app that displays content from the website via an API in a native way, no WebView or similar. The workflow would be the following:

• App is started
• App checks if a sessionkey exists.
  • If the key exists, ask the website API if the sessionkey is valid and belongs to the user => if so, allow the usage of the app
  • If no sessionkey exists, ask for username+passwort, ask the API if it's correct and get a new sessionkey via the API => allow app usage
• User clicks on e.g. "account balance" -> API request is done with the stored sessionkey and the result is displayed
• User clicks on "payout", fills in a form and gets his money -> API request is done with the stored sessionkey and the result is displayed

Now I'm searching for a best practice solve for this. I don't want my sessionkeys to be simply hijack-able and I want to be sure that the sessionkey realy belongs to this user. As private data can be seen/modified via the app, privacy is important.

I took a look at oAuth but this isn't what I need I think because I need a consumer key and consumer secret that is unique for every user and I can't integrate this into the app. I don't want to have a new window/browser for entering username+password and handle the response via a callback like oAuth is doing.

Any hints on this?

Thanks a lot!

Answer 1

For a good starting point on http authentication best practices, have a look at this article:

"Principles for Standardized REST Authentication".