How to manage session for a user logged in from mobile app in PHP?

Question

I\'m a PHP programmer by profession. So, I don\'t have any idea about iOS and Android coding.

The scenario is there is one website developed using a

Answer 1

Your server should be completely stateless, and so no session should be stored.. a REST API is effectively just a data abstraction layer with optional security (through token)

So you API expose an authentication service, which will respond with an Authorization token to be used on subsequent requests as a header, this token should be a 1to1 relation with each user, and Universally Unique. It should also have an expire time, at which point your server responds with appropriate error response requesting your app to refresh the token, which can be done either via a separate refresh token system, or requesting that the user logs in again to refresh the token.

It is the APP which should maintain the state, not the server. The server is merely there for data purposes, and so should not rely on any kind of session based authentication.

Answer 2

If your are using Oauth 2 for athentication, here is the common setup:

• User logs in on mobile app
• If the credentials are ok, the server returns the access token, a refresh token and the token's lifetime
• The mobile app stores those values + current timestamp
• On the server's side, a garbage collector is configured to clear expired tokens
• Before making any api call, the mobile app checks if the token is about to expire (with the help of the stored values). If the token is about to expire, the app sends the refresh token which instructs the server to generate a new access token
• If you want users to stay connected, the app can be configured to check the access token periodically and request a new one if it's stale

Hope this helps.

Cheers

Answer 3

A session is "something" that lives on the server. It can be an object storing details about the user (for instance session id, username, email address...) or any other data that will be required to process future requests (such as shopping cart details, delivery address...).

That "something" is typically an object, which can be stored in memory, in a database or even serialized and saved to the file system (I believe this is the default in PHP).

So when you say "I don't know whether the session is maintained in iOS/Android app", I'm afraid that doesn't make sense. Only the server can maintain sessions.

Typically, the only thing that the client would know (web browser or mobile app) is the session id (in the form of a token or GUID). That is the only thing the client/app needs to remember and it needs to be sent alongside any request to the server.

It could be stored as a cookie and/or sent to the server as a request header.

Then the server will read the session id/token from the cookies or header and will retrieve the session details from the place where it stores sessions (file system, memory or database). That is what happens behind the scene when you call session_start().

To read more about session handling and how to create custom session handler (which might be required in your case to get a token from the request headers):
http://php.net/manual/en/function.session-start.php

Answer 4

Unlike web browsers, iOS and android apps cannot maintain sessions. Usually, once a user has logged in (login credentials verified from server), its login credentials are saved on client side. Then the app gets data from server using session less REST api calls. This is how mostly it is done in mobile applications.

However, if you want the server session and mobile app go hand in hand (which i don't think is a good idea), the way is

1) When the user logs in, a security token is generated on the server side and saved on both server and client side.

2) The mobile app will be able to communicate with the server as long as the security token is valid.

3) When the session expires, the security token becomes invalid. Now there must be an understanding between server and client about the response when the session is expired. Now the mobile app must redirect the user to login page again. The user will login again and then communicate with the server. This should happen every time the session is expired.

Answer 5

REST is sessionless for its nature. You need to generate a token when user logged in. You must save this token on your mobile client. For every request, you need to attach a valid token in request header and check it at server side. If token expires, the token stored on a client is not valid. So, you need to login again because of 401 response. If token it's not correct you need to responde 400. I hope that I'm helpful for you.

Answer 6

I dont have any experience working with PHPFox but this is how a mobile frontend should ideally handle the issues:

Case 1: Mobile app actively talking to server:

• Session timeout stamp keeps bumping up and session stays alive.

Case 2: Mobile app active without any server communication (e.g. incoming phone call, moving between apps etc.):

• Server session may or may not timeout.
• If it times out, next query to server will fail auth and return an error.
• App consumes this error and gracefully redirects to login screen with a message toast urging the user to login. (This happens in my banking app)

Case 3: User kills the app on device and relaunches it:

• The app should store the token either in sqllite or shared preferences. (Always logged in apps take this approach)
• Upon relaunch, app can query the server with the presistent token.
• If session is alive, communication goes through and user can continue. If not, user goes to login screen as in Case 2.