Results 1 to 9 of 9
  1.    #1  
    I am looking for an example of how to authenticate an app user. If I have a user login, can I create some sort of token, that allows their app on their device to stay "logged in"?

    To be more clear, I know how to take in input and pass it onto a REST service for authentication. I am looking for how to maintain authentication, maybe through some sort of token or device id that can't be spoofed.

    Also, if you know of any good documents on the subject, please leave links here.
    Last edited by RockCityGhost; 01/04/2010 at 04:44 PM. Reason: To clarify my question.
  2. #2  
    i have no clue but try asking these guys as the app seems to do what you are asking

    http://forums.precentral.net/syntact...email-app.html
  3. #3  
    Palm frowns on using device ids to authenticate users (although I've seen a few developers do it anyway). To do what you are saying, I'd create a pseudo session id and store it on the device (as a cookie). Then pass it with each subsequent reqeust to your server (just as a browser based cookie would).

    On the server end, create a table in your database that includes the session id and an "expire" timestamp which is checked/updated with each request from the app.

    This is very similar to how I store sessions in a database via PHP, only you have to handle the passing and checking of the session id and timestamp yourself.

    Does that help???
    MoBill - Use your Authorize.net account to bill your customers with your webOS device!!
    MoJack - Track your lost or stolen webOS device from anywhere!
    Time to get VIRAL
  4.    #4  
    Laxidasical,

    Thanks for the response. At my day job, we've gone away from the idea of a webOS app for now, but the cookie idea is something I could try.

    Your ideas definitely help. I am going to google it, but do you have any links to Palm discussing Device IDs and why they don't want devs to use them as "session ids"?
  5. #5  
    I've actually revised the way I handle a login since this post...

    My apps require an account on a remote server, so now logins are done against a PHP/MySQL script. Here is a post where I demonstrate: http://forums.precentral.net/web-os-...ml#post2231148

    If you have a stand alone app, just store the username & password in your app's cookie.
    MoBill - Use your Authorize.net account to bill your customers with your webOS device!!
    MoJack - Track your lost or stolen webOS device from anywhere!
    Time to get VIRAL
  6. #6  
    Quote Originally Posted by RockCityGhost View Post
    Laxidasical,

    Thanks for the response. At my day job, we've gone away from the idea of a webOS app for now, but the cookie idea is something I could try.

    Your ideas definitely help. I am going to google it, but do you have any links to Palm discussing Device IDs and why they don't want devs to use them as "session ids"?
    I could be wrong but I don't remember reading that Palm didn't want devIDs to be used as session IDs. What I recall is that they don't want devIDs to be used to identify users for login (i.e. replace username/password with DevIDs).

    This is because if the user breaks their phone, it will be "recycled" and the new user will have the old DevID and be able to login to the old user's account.

    I think using the devID for session IDs is the perfect use for it because it cannot be spoofed. What other use is there for devIDs?
    mobigamedepot.com
  7. #7  
    Quote Originally Posted by djpushplay View Post
    I could be wrong but I don't remember reading that Palm didn't want devIDs to be used as session IDs. What I recall is that they don't want devIDs to be used to identify users for login (i.e. replace username/password with DevIDs).
    I said...

    Quote Originally Posted by djpushplay View Post
    Palm frowns on using device ids to authenticate users...
    ...which would include session ids, as sessions are used to authenticate a particular user with each request. I'm not saying that using it isn't ideal, as a session probably shouldn't survive a device swap and the nduid is hard to spoof (not impossible, as any data passed can be spoofed).

    I forgot to post exactly what Palm said...
    System Properties – Palm Developer Center
    MoBill - Use your Authorize.net account to bill your customers with your webOS device!!
    MoJack - Track your lost or stolen webOS device from anywhere!
    Time to get VIRAL
  8. #8  
    Quote Originally Posted by Laxidasical View Post
    ...which would include session ids, as sessions are used to authenticate a particular user with each request. I'm not saying that using it isn't ideal, as a session probably shouldn't survive a device swap and the nduid is hard to spoof (not impossible, as any data passed can be spoofed)
    Yeah, I agree. I wish Palm would be more open and clear about their policies and practices. What the original poster is trying to do is not uncommon and should be part of Palm's sample code package or at the least, documented properly.
    mobigamedepot.com
  9. #9  
    Why not just have the server create a session ID as it would with a regular website and pass that back to the app? Then pass that back to the server with each request the app makes until the user logs out or the session expires on the server.

    I do this with both of my apps, it works great!
    Last edited by Laxidasical; 03/25/2010 at 02:43 AM.
    MoBill - Use your Authorize.net account to bill your customers with your webOS device!!
    MoJack - Track your lost or stolen webOS device from anywhere!
    Time to get VIRAL

Tags for this Thread

Posting Permissions