Skip to content Skip to sidebar Skip to footer
Home / Android / Authentication / Cordova / Php

Phonegap Authentication Without Username/password

Post a Comment
i have a phonegap app and i want only my app users to access the api from where i am getting the data. I am using php as my back end. What i did was i created a key and was authent

Solution 1:

Yes sure this can be done,

But several things before you should start.

  • Create a new table to store all the api keys which we are going to generate per user when they are registering through the app.

PHP Side:

  • Grab users password or any unique thing Eg: UDID Andriod, in IOS they have restricted access to UDID and you might have to store some unique generated id in the keychain.
  • Then When we have the password and UDID you can put them together (or anyway you want) and encrypt with Sha1 (or any encryption algorithm) And save it to the api key table
  • Every time when a request hit on the api you can grab the api key from the header and validate it with the database and see.

App Side:

  • When the user login through the app if it is successful, pass the api key to the user and save it inside the app for further use.
  • Also when your going to request the data from the api you can retrieve the api key stored inside the app, Then put it as a header in the request and send.

Few Extra things:

  • Also you can create a private key on both sides (Server and App) then store it in the api key table and encrypt the request which is the server and app only knows using the private keys stored on both sides.
  • Also you can go for advance authentications like oAuth

Solution 2:

Use RSA, the popular Algorithm in SSL/TLS. The point is a private key and public key pair.

Here's the library and example for PHP:

Encrypt and Decrypt text with RSA in PHP

And here's the library for Javascript:

RSA Encryption Javascript

And my personal suggestion: to negotiate a random key store in ram for later usage rather than use the key pair for all message exchange. Because it's a high workload for server(15times more than client). And you can define a object to store the session key in private member.

funciton keyStoreObject() {
    this.publicKey = ''; //this is publicvar sessionKey = ''; //this is privatethis.negotiate() = function () { sessionKey = 123456; //You can access private sessionKey }this.decypt = function (str) {...}; //And write your code here
}

and so create a instance:

var keyStore = new KeyStoreObject;
//so now you can
keyStore.negotiate();

About private member, read more here: http://javascript.crockford.com/private.html

Also, you need to implement a session key store on server side and including a expire time. For small instance, serialize() or SQLite can be used.

Actually, the sessionKey is not fully secure(in theoretically). A desktop browser can make DDoS attack. Human validation like captcha code can help you.

You may like these posts

Post a Comment for "Phonegap Authentication Without Username/password"