0

I'm trying to login on my site from my Android app. Sending a POST request is apparently not possible, so the only way is sending a GET request. Is it fine to send password this way? Should I encrypt it somehow?

MaiaVictor
  • 51,090
  • 44
  • 144
  • 286
  • apparently not possible, or certainly not possible? It seems unlikely to me. – John Dvorak Oct 22 '12 at 04:50
  • sending unencrypted passwords through GET is certainly a bad idea. Sending encrypted passwords seems bad as well since a search engine might index the URL. – John Dvorak Oct 22 '12 at 04:52
  • It *is* possible to send a POST request in Java. Even then, you should encrypt the password being sent. – FThompson Oct 22 '12 at 04:54
  • 1
    I have worked with POST requests in Android and I can surely say that It is very much possible to send POST requests... So, if you can present some code to show what you are trying to do, maybe then we can help... – Shekhar Chikara Oct 22 '12 at 05:11
  • I do not know why this question was marked down. I understood his question perfectly. – Yicanis Oct 22 '12 at 05:35
  • @ShekharChikara the problem is that the cookies session is not saved when you open the browser after sending the POST request, so it is not possible to login on another site and open the browser, logged in there. That's what I've been told, at least. – MaiaVictor Oct 22 '12 at 13:34
  • @Dokkat So POST requests *can* be sent, just cookies can't be saved. Thanks though, I didn't know that before. EDIT: There isn't a difference between using GET and POST as far as saving cookies goes..? – FThompson Oct 22 '12 at 17:11

3 Answers3

1

the way to do this, you should encode your details by using base64_encode function and pass it through "GET" params.

Additionally, you may add something to mixed up the password. So this will depends on how you want to display and pass your log in credentials.

*Note: for mobile, I think it can't use encrypt function like bcrypt in PHP.

Hope this helps!

Whatever Kitchen
  • 700
  • 2
  • 14
  • 24
0

I do not think it is possible for you to send your device user's credentials through HTTP GET. If you could go through GET though with some weird method of coding it wont be secure unless it is encryped and SSL is recommended. However it is very possible through HTTP POST and it can be encrypted as well. You should be using SSL for the POST. Here is some sample code if you need a reference.

    case R.id.login_login_but:
        Toast.makeText(this, "Logging in...", Toast.LENGTH_SHORT).show();

        ArrayList<NameValuePair> postLogin = new ArrayList<NameValuePair>();
        postLogin.add(new BasicNameValuePair("post_user", "User"));
        postLogin.add(new BasicNameValuePair("post_pass", "Pass));

        try {
            String response = null;
            response = CustomHttpClient.executeHttpPost(
                    "http://giveaway.synamegames.com/appfiles/login.php", postLogin);
            String res = response.toString();
            res = res.replaceAll("\\s+", "");

            if (res.equals(1)) {
            // logged in
            } else {
            // incorrect user or password
            }

        } catch (Exception e) {
            Toast.makeText(this, "Server timeout please try again later. You must have internet.", Toast.LENGTH_SHORT).show();
        }
    break;

And the PHP script I used was...

<?php
$username=$_POST['post_user'];
$password=$_POST['post_pass'];
$user = 'db_user';
$pswd = 'db_password';
$db = 'db_name';
$server = 'www.domain.com';
$conn = mysql_connect($server, $user, $pswd);
mysql_select_db($db, $conn);
$query=mysql_query("SELECT * FROM users  WHERE  pass =('$password') AND user = $username")or die(mysql_error());

if(mysql_num_rows($query)==1) {
echo 1;
} else {
echo 0;
}
mysql_close($conn);
?>
Yicanis
  • 328
  • 1
  • 17
0

You may have to do both encrypting and sending a POST request. If your signing in process is available as an API, you can use WebRESTClient to do the same..

Also, You can do simple hashing like

MessageDigest md5Hash = MessageDigest.getInstance("MD5");
mDigest = md5Hash.digest(password.getBytes());
String hashedMessage = new String(Hex.encodeHex(mDigest));
peer
  • 65
  • 1
  • 9
  • 2
    MD5 *is not* encryption, and cannot be decrypted on the receiving end, as it is a hashing algorithm. – FThompson Oct 22 '12 at 17:13
  • @Dokkat MD5 is irreversible and hence safer than encryption. Encryptions are reversible. Check out [link](http://stackoverflow.com/questions/326699/difference-between-hashing-a-password-and-encrypting-it)... Vulcan, thank you for the correction... – peer Oct 23 '12 at 15:24