In an android application, what are some of the best practices for session management?
In my case, I am using Active Directory to authenticate users. I was thinking of storing a last_authentication_time variable on the phone, and requiring the user to log in after a set amount of time. If the user hasn’t passed that time period, skip the log in screen. Otherwise, force the user to log in.
Is there anything wrong with this? It seems pretty simple, I just want to be sure to do this the ‘proper’, secure way.
Yeah its a simple concept although i don’t see the point in it, the user either wants to stay logged in or input the password, why would inactivity force the user to enter a pass?
as for a secure way you can either use some kind of encoding (preferably sha1) to store an encoded version of the password in shared preferences or use the account manager as a more secure way of doing this. its a lot more complicated than shared preferences but its also a lot better, search google on how to add an account in the account manager.
Hope this helps.