14

I'm in early (pre-coding) stages of developing a mobile web application using jQuery Mobile (we looked at Sencha Touch for a few weeks, but jQuery Mobile is a better fit for our team's competencies). I am wrapping the jQuery Mobile web application with PhoneGap to create an iPhone, iPod touch, and iPad native-ish application. I use Django for our web applications so intend to do the same here for the server-side, with some sort of JSON/Ajax/REST data flow for the interface between the mobile application and the server. Since it's a mobile-only application, we should have access to all the HTML5 kind of stuff.

While I am likely to come up with other issues/questions for this implementation, here is my current question/issue:

I need to set up the application so that the first time the user opens the application, they must enter a username and password to authenticate. Subsequently the user should not have to authenticate unless the user clicks a "settings" link which gives them a page to authenticate with a different account or password. The application should still authenticate to the server each time it is started, using the current username and password that was originally entered, to make sure that the account hasn't been disabled or the password changed or something.

I am pretty new to authentication schemes. What should I do?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
B Robster
  • 40,605
  • 21
  • 89
  • 122

6 Answers6

4

Although you're not going with Sencha Touch, there's a pretty good overview of the issues at HTTP Authentication.

As for storing the authentication information after an initial login, you could try local storage or a cookie (though you might need to use PhoneGap to enable cookie storage). HTML5 also provides key-value local client storage. If authentication cookies work I believe this could be handled automatically for you; otherwise you could implement a document.ready authentication check within an Ajax call using authentication data from local storage (or encrypted storage).

Community
  • 1
  • 1
A Lee
  • 7,828
  • 4
  • 35
  • 49
4

I would advise against storing in HTML5 local/web storage. If you are targeting iOS PhoneGap, I would recommend using the Keychain Plugin: http://blogs.nitobi.com/shazron/2010/11/06/ios-keychain-plugin-for-phonegap/

Shazron
  • 2,446
  • 1
  • 18
  • 30
  • We ended up using your plugin and its worked so far. (I believe my coworker sent a msg asking you a question, which you helpfully answered). While we figured using localStorage wouldn't be the end of the world, given the way the apps are packaged and the way we intend to limit distribution, but went with the keychain to do it the right way! – B Robster Aug 07 '11 at 06:24
  • (Note that this is iOS only, and wouldn't work for other PhoneGap deployments) – B Robster Nov 03 '12 at 19:36
4

The KeyChain solution would work only on iOS devices, so if that's your only target you are fine.

But what about the others? Kind of a waste using PhoneGap but then deploying only to one framework...

I know localStorage is not secure, but if you are aware of the limitations there are ways to make a bit less "obvious".

Here's the jQuery.handleStorage plugin which also handles AES encryption... You could have a look at the source and implement only the parts you need (in case you don't want to use the whole plugin, which also supports desktop browsers!).

PS: I am not affiliated in any way to that plugin or the author

Leon
  • 4,532
  • 1
  • 19
  • 24
  • You could also use the newer, more flexible version which doesn't require binding a to form https://github.com/jas-/secStore.js – jas- Jan 08 '14 at 13:24
1

This was one of the burning questions I had when I started mobile development with PhoneGap. Let me explain what I do to get through.

When the users try to login to he/she enters the username and password which will be sent via a web service call to the server side. If the authentication is successful issue a token to the user and save it at the server side for the future communication. User will receive the token and it will be saved in the local storage or whatever mechanism you prefer.

Now for future communication use the token, token will be passed with the every web service call to the server side where server will authenticate whether the token is a valid token issued by the server. You can invalidate the token by every 72 hours or 48 hours as pre your requirement(or not expiring). Once the token is invalidated you will have to login and get a new token.

Hope this solve your problem.

Techie
  • 44,706
  • 42
  • 157
  • 243
-1

Try HTTP Authentication with HTML Forms and see if it helps.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Frantz Romain
  • 836
  • 1
  • 6
  • 14
  • Thanks for the link, however based on this excerpt alone: "this technique works in IE6 and Firefox but is known not to work in both Opera and Safari, so if you care about those browsers you may want to think again about using this (or to spend some time investigating why it fails in those browsers)." I'm guessing it is not something i'm going to want to pursue for my mobile-only application; additionally, it doesn't address my "first-time-only" login requirement. . . hopefully i get a more on-point answer! :) – B Robster Jun 05 '11 at 00:04
-1

It says to include a PHP file into the HTML file, but I'm not sure if PhoneGap works with PHP. I just started using PhoneGap this weekend.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Frantz Romain
  • 836
  • 1
  • 6
  • 14
  • Do you have a link to "it" (it being the thing that is saying this thing.) I don't currently plan on using any php (since I'm using python/django/wsgi on the server side). – B Robster Jun 05 '11 at 00:08
  • I was told to store the PHP file inside your server and then use AJAX to make information transactions. – Frantz Romain Jun 05 '11 at 23:21