A
Anthony Papillion
So I'm developing a new application for Windows Mobile (WindowsPhone) that
will use a REST API I'm developing to interact with a backend MySQL server.
While I need to make access secure (it's a medical app), I don't want the
user to constantly have to hit the user table of the database every time
they want to do an API call as that table could have thousands of rows and
could slow down access a bit.
So my thought is to use sessionID's of sorts. When the user does the first
call to the API (which should be a login call since they need to login to
the app), the mobile app will also create and send a unique 22 digit number
that will serve as the session id (alternately, the API could return a
session ID but that's besides the point). The session ID will be stored on
both the server and client side along with the time it was created. The
session will be good for six hours after which the user will need to login
again and create a new sessionID.
Now, each time the mobile client hits the API, it will 1) check the
on-device database to see if the session has expired (look at the time it
was created and see if it's older than six hours). If the session is older
than six hours, go trough the login process, create a new sessionID then
execute whatever calls are needed and 2) make API calls that include the API
command along with any required variables and send along the sessionID with
the call.
This sounds very convoluted but it's the best I could come up with. Can
anyone point me to a better way?
Thanks!
Anthony
will use a REST API I'm developing to interact with a backend MySQL server.
While I need to make access secure (it's a medical app), I don't want the
user to constantly have to hit the user table of the database every time
they want to do an API call as that table could have thousands of rows and
could slow down access a bit.
So my thought is to use sessionID's of sorts. When the user does the first
call to the API (which should be a login call since they need to login to
the app), the mobile app will also create and send a unique 22 digit number
that will serve as the session id (alternately, the API could return a
session ID but that's besides the point). The session ID will be stored on
both the server and client side along with the time it was created. The
session will be good for six hours after which the user will need to login
again and create a new sessionID.
Now, each time the mobile client hits the API, it will 1) check the
on-device database to see if the session has expired (look at the time it
was created and see if it's older than six hours). If the session is older
than six hours, go trough the login process, create a new sessionID then
execute whatever calls are needed and 2) make API calls that include the API
command along with any required variables and send along the sessionID with
the call.
This sounds very convoluted but it's the best I could come up with. Can
anyone point me to a better way?
Thanks!
Anthony