Tell me, will the following scheme of registration be correct:

  • The data entered by the user (the password is not encrypted, is transmitted as is) are sent via HTTPS to the server
  • on arrival at the server, the data is stored in the database (the password is previously hashed before being entered into the database)

And the scheme of work at the entrance to the account :

  • also unencrypted data is transmitted via HTTPS

  • on arrival at the server they are checked for validity with those who are in the database

  • if they are not valid, the user is sent a signal that
    data entered incorrectly

  • if they are valid, then here I have a second question: what to do next?

PS The client is the Android application PPS. Do not forget the first question: "Will this scheme be correct?"

  • one
    And what, in your opinion, in the scheme is not correct? What to do next? Generate which thread key give it and demand it for identification. - Chad
  • Token to generate? - Icsdssd
  • Yes, in order not to transmit a password at every connection, well, make this token with an expiration date ... you can also add an ip binding, etc. - Solid

1 answer 1

Sending a password over HTTPS is standard practice, with the proviso:

  1. It is necessary to attend to the presence of a client certificate on the device, which will be accepted by the server
  2. The server should force an HTTPS connection if the client knocks on it through normal HTTP

if they are valid, then here I have a second question: what to do next?

  1. We take login through it we find salt on the server
  2. Calculate hash(password+salt)
  3. We compare it with the hash value stored on the server - if we successfully let it in, if not, then reflect it.
  • I would clarify the very first point, so that there was something to google, you need to do ssl pining - andreich