8

Wanted to discuss under-the-hood information about how session is managed in case of mobile apps - native, hybrid and web applications?

Please validate below Session Management scenarios:

Native (Android/iOS) application

  1. Using Session Cookies: Session cookies are stored in your DefaultHttpClient object. Instead of creating a new DefaultHttpClient (AFNetworking in iOS) for every request, hold onto it and reuse it, and your session cookies will be maintained.

Hybrid (JET, ionic, Angular, Cordova) application

  1. Use localStorage to store the user info after a successful login. On logout clear the localStorage.

Web-HTML5 apps

  1. Attribute-SessionStorage in HTML5: Can be used by the sites to add data to the session storage, and it will be accessible to any page from the same site opened in that window i.e session and as soon as you close the window, session would be lost.

Thanks and Regards,

Rohit

Rohit
  • 6,245
  • 14
  • 49
  • 96
  • 1
    Are you asking for confirmation of your categorization or a wider ana,ysis of cookie versus local storage? If the latter, what wasn't covered in http://stackoverflow.com/questions/19867599/what-is-the-difference-between-localstorage-sessionstorage-session-and-cookies or http://stackoverflow.com/questions/3220660/local-storage-vs-cookies – Peter Brittain Aug 01 '16 at 22:21

1 Answers1

4

Old way of managing sessions is via cookies.

How it works? When your user enter username and password in your login screen, you give him a session cookie. This cookie is maintained every interaction within your user browser and your web site. You need to maintain this cookie in your server side. In addition to this session cookie, web sites hold additional information about user in server side session too.

What is problem of this approach?

Inherently, it is not scale-able.

If your user numbers are not high, you can hold this session cookies and additional information in one web server. But if user numbers are high, you need to solve with this with different approaches, like holding this session information in a database or session server.

What is new way of storing sessions

Modern browsers has a local storage capacity. This local storage is ideal for non-critical information for users. Session storage is one session only and when user closes browser (tab), it is deleted. Local storage is for one site, and you need to explicitly delete it or users may choose to delete it. Store any non-critical information here. If your users logs out from your site, delete them.

Hybrid (JET, ionic, Angular, Cordova) application

A Cordova application is no different from web browser. Here you are sure that your user is only user in this computer (mobile phone); therefore, use exclusively local storage.

Native (Android/iOS) application

Use sqlite to hold your all session information. Never use cookie authorization with native application, it is unnecessary and not scale-able. Use token authorization.

All applications.

For all applications use your login screen to get authorization token, for example JWT token and store it in your application.

  1. web application - local storage
  2. hybrid application mobile - local storage
  3. native application - sqlite

Read difference between cookie authorization vs token authorization here.

Confidential Information

Do not store any confidential information (password, credit card ..) in any of these storage. Store them in your database, and show them to user case by case.

Atilla Ozgur
  • 13,569
  • 3
  • 44
  • 65
  • 24
    A very confusing answer. It is not clear from the answer how exactly the local storage version is more scalable than the cookie version. It is not clear how a session can be preserved when closing and reopening the browser. It is incorrect to say that cookie-based solutions are not scalable: it is only a question of scaling, notifying and persisting on the server side, which can be sensible solved. Finally it is not clear why any of this advice is correct as there are no references to such a general question that indeed requires some. – Oleg Sklyar Aug 01 '16 at 12:42