I’m modifying an Android app that utilizes a webapp via a webview. Currently the the code base for the webapp is written in ColdFusion – so all the session management is done in CF. There are certain hooks in the webapp that force the Android app to do native functions and sometimes call external scripts in PHP.

These php scripts get data posted to them (userid, friendid, etc) – currently the php scripts just make sure there is valid data being posted, then process the request if the data is present and valid.

I am looking for ways to increase the security of these php scripts to prevent bots / malicious users from posting false data to these pages – at this point nothings stopping anyone sending a correct userid/friendid and having the script from executing.

Session management would be the first line of defense, but since the webapp is in a different language I can’t use that – and sometimes the php scripts are on a different domain completely (same server though).

The other method I considered was on sign up creating a user token to associate with a user, and saving this on the Android side of things – then when requesting these php scripts send the userid and token. And verify the token for that user matches in the remote database – this would make it harder to guess posting credentials for malicious user. Clearly not the best because the token is stored locally and going over the wire, but I digress.

Question are there any better methods to use in order to protect these lone php scripts from being executed, with out the use of session management? Does my token idea make any sense?

Note: I can use SSL on any / all requests.