I apologize if this may be common sense to some, but I’m still learning. I have an iOS app that syncs files to a web server. Once the user logs in on the device, he remains logged in unless he signs out. Currently, whenever the user initiates a server request, such as adding, updating, or deleting files, I only send the user’s email and not the password to the server, since the user is already authenticated on the device.
Should I be sending the user’s stored password each time he makes a request and have the server authenticate it before proceeding with the request? Why or why not?
You should send a session identifier, rather than an email address.
The session identifier is a large number (128 bits is sufficient) chosen by a cryptographic random number generator when the user is successfully authenticated. It is set as a “cookie” in the user’s web device and sent with each request over a secure channel (TLS).
Email addresses are public. You can only authenticate requests with secrets, like a password or a session identifier.