How mobile apps hold sessions?

I didn’t work on session management on mobile apps.

So i am trying to build an api server in golang for a mobile app.

it doesn’t have cookies .

so how to keep a user logged in a secure session?

how Facebook and Google let their users keep logging in?

Usually you do some kind of log-in request to start your session. You will get a Token back, and then you add this Token to future requests. Either as part of the URL, as part of the request body, or in a HTTP-Headerfield, usually it is “Authorization”, the Token beeing prefixed by Bearer and a space.

How this Token is generated, validated and other stuff depends on your application.


does this (part of url, http-headers) open a chance for the man in middle attackers?

Not if you use HTTPS.

1 Like

@AnikHasibul try this

1 Like

@luk4z7 thanks! i got the idea! but still a concussion. where should I store the token?

In suitably secure storage on the device. On iOS that’s the Keychain, other operating systems have their equivalent.


that’s right.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.