The Plan:
I’m developing an android application that is heavily database driven (as in, most of the content is fetched from a MySQL database via a RESTful service layer on my webserver).
Before any calls can be made to the API requesting data, the user has to b authenticated by passing his credentials where they are checked against the database. If the user is validated, I pass back an authorization token. If the user selected the ‘Remember Me’ option, this token will be saved locally for future use.
All future API calls need to contain this authorization token.
When the user wishes to logout, a call is sent back to the API to delete that token from the database, thereby invalidating it for future use. Local copy of the token is deleted as well.
The Issue
If the user does not logout, and simply closes the app (Home or back button) and did not have the ‘Remember Me’ option selected, I want to destroy the token at the server. How can this be done?
Possible Solutions #1
- If there is an
onExitevent that fires when the application exits, make a call to the API letting it know to destroy the token.
Problems with this method are:
- Does such an event exist, which is guaranteed to be raised in all
conditions (home button, back button, program crash (I can live
without this one) )?
Possible Solutions #2
- Maintain a
time of last activitycolumn in the database. If a call is madex minsince the last activity, the token will be considered expired.
Problems with this method are:
-
Added overhead of updating the time column in the database on every API call.
-
Additionally, I will now have to store in the database if the user selected to be remembered, because in that situation the token cannot expire.
Which of the two solutions would you implement? Or is there another, better, way to implement this mechanism?
If you suggest #1, please advise which event it is that will serve my purpose.
Your first solution is not applicable because:
You’d better implement the second solution. Positives: