android - How login process should look like? -
i have problem how login porcess should like. i've written client , server , process of login looks like:
- put no phone , password -> click "login/sign up"
- client creates user object put phone number , password.
- client sends request server i.e integer = 1 -> server waiting user object.
- client sends newly created user (2)) server. client waiting answer (integer)
- server checking if user exist:
- if yes, next step check password, if pass ok server sends client answer 1, , next sends user object database user details.
- if yes, pass not ok, answer 0, , nothing sended,
- if no, answer -1, , nothing sended.
- client answer:
- int = 1 -->(user exist, pass ok) --> object, data object
- int = 0 -->(user exist, pass not ok) --> toast "try again"
- int = -1 --> (user not exist) -->go profil
- if answer -1 open profil activity , details user, put details in user object , sends server request code int = 2 --> write user user list
is way of login? should maybe sends raw integer phone number , password instead of user object. every time when want connect server should send request code information want do, or there idea this.
the state "user exist, pass not ok" seams bit problematic me. way can split attack in 2 phases.
- try possible user names (your server reveals if user name exists, independent of password)
- for known existing user names try dictionary of possible passwords.
so recommend not leak information if username exists.
Comments
Post a Comment