0

I have an Android Application which talks to a server through REST APIs web services. I need to apply session management in android application. At the server side if there is 15 mins of inactivity the user will get logged out and a new authentication token is generated.I want to do session management in my android application. I am using Volley for the network calls.

REASON behind doing this:

I want to apply session management because after 15 mins of inactivity the server will generate a new token key and invalidate the session. Then the android application needs to have the new token key generated by the server for authentication and successful web service call.

What I have till now for session management in Android:

My MainActivity code:

public class MainActivity extends AppCompatActivity {

    public static final long DISCONNECT_TIMEOUT = 600000;// 15 min

    private Handler disconnectHandler = new Handler() {
        public void handleMessage(Message msg) {
        }
    };

    private Runnable disconnectCallback = new Runnable() {
        @Override
        public void run() {
            // Perform any required operation for log out
            Intent intent = new Intent(MainActivity.this, SecondActivity.class);
            startActivity(intent);
        }
    };

    public void resetDisconnectTimer() {
        disconnectHandler.removeCallbacks(disconnectCallback);
        disconnectHandler.postDelayed(disconnectCallback, DISCONNECT_TIMEOUT);
    }

    public void stopDisconnectTimer() {
        disconnectHandler.removeCallbacks(disconnectCallback);
    }

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
    }

    @Override
    public void onUserInteraction() {
        resetDisconnectTimer();
    }

    @Override
    public void onResume() {
        super.onResume();
        resetDisconnectTimer();
    }

    @Override
    public void onStop() {
        super.onStop();
        stopDisconnectTimer();
    }
}

How can I check if the session has be timed out at the server side or How can I logout the user after 15mins of inactivity.

sagar suri
  • 3,343
  • 7
  • 41
  • 94

3 Answers3

3

Like you said, In your server side, you should have a token and a expiration date which you should always check, on every user request. Token becomes invalid If the date expired and no more response will user get until start new session (this way, you can redirect to login page, because server response is 'invalid token' or ' session time ellapsed').

In other words, in a simply way, no one needs to be watching if session is already expired. Only when user makes a new request, there the server validates user session. It's secure enough.

PedroHawk
  • 616
  • 5
  • 18
1

You don't have to use any session management in android application, better for every request you have to send the token within header params, in server-side the token authentication is taken care and returns the response JSON, in client-side you have to apply logic with respect to response JSON

Nithin Paul
  • 76
  • 8
1

As previous Answers stated you should let the server ( the REST API ) handle that.

On every request from your android application send the token you have as a header ( just best practice ) and let the server validate that token first at all times before doing anything else. If the token is not valid anymore you can let him send you a special response with HTTP 401 or some other HTTP Code, telling you that your session timed out.

In your Android application you have to handle this response and automatically start/redirect to the login. Once he is logged in everything is as usual.

If you want you can try to remember where the user was before getting thrown out and redirect back to that activity after he is authorized again.

Here are some resources for REST session management:
https://www.quora.com/What-is-the-best-way-of-session-management-in-REST-architecture

If REST applications are supposed to be stateless, how do you manage sessions?

http://blog.synopse.info/post/2011/05/24/How-to-implement-RESTful-authentication

https://www.owasp.org/index.php/REST_Security_Cheat_Sheet

Nico
  • 1,508
  • 1
  • 17
  • 36