Sign in to follow this  

php session with LibGDX app

This topic is 682 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

For several web projects I have been using php sessions to maintain a connection for the client. Now I am building a LibGDX app that communicates with the web and I'm wondering if I using sessions is still possible. I believe a php session is storing a server side cookie so in my theory this would still apply, I just have to save the session ID within the app and sent it when a request is made. However, since I do want things to be fairly secure I am worried about session hijacking. I could generate a fairly long session ID with high entropy to prevent this but and perhaps lock in the current IP of the user but I'm not sure if this is a valid way for a game. I really do not want any clients to be compromised.

 

Another way I can think of is checking credentials on each request, or at least each sensitive request. But then I need this to be automatically which means I need to store the credentials. I'm thinking of storing a encrypted version of the password locally and have the salt in the database. On the server side I will decrypt the password and verify it with BCRYPT again. This way whenever someones phone is compromised he still needs the salt in the database to see his password.

 

Share this post


Link to post
Share on other sites
The problem is that if a phone is compromised, there is nothing you can really do. The hijacker will have access to the stored password and the session cookie. Most applications require the user to retype their password for sensitive requests.

You might also consider moving to database sessions, where a user can login elsewhere and revoke any currently running sessions.


Also, don't store passwords locally, even if it encrypted.

Share this post


Link to post
Share on other sites
PHP sessions work by storing data about the user/session on the server (by default in a temp file; you can add other hooks such as memcached or database to make it work across multiple application servers.)
The session id value is then sent to the client in a cookie.
When the client makes the next web request, the cookie is sent back, and PHP can look up the session data based on that value.
If LibGDX provides a web interface (HTTP/HTTPS) and properly deals with cookies, then PHP sessions will still work.

Share this post


Link to post
Share on other sites

This topic is 682 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this