I didn’t work on session management on mobile apps.
So i am trying to build an api server in golang for a mobile app.
it doesn’t have cookies .
so how to keep a user logged in a secure session?
how Facebook and Google let their users keep logging in?
Usually you do some kind of log-in request to start your session. You will get a Token back, and then you add this Token to future requests. Either as part of the URL, as part of the request body, or in a HTTP-Headerfield, usually it is “Authorization”, the Token beeing prefixed by Bearer and a space.
How this Token is generated, validated and other stuff depends on your application.
does this (part of url, http-headers) open a chance for the man in middle attackers?
Not if you use HTTPS.
In suitably secure storage on the device. On iOS that’s the Keychain, other operating systems have their equivalent.
that’s right.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.