How Session Management approach differs in mobile native vs hybrid vs web applications?
Wanted to discuss under-the-hood information about how session is managed in case of mobile apps - native, hybrid and web applications?
Please validate below Session Management scenarios:
Native (Android/iOS) application
- Using Session Cookies: Session cookies are stored in your DefaultHttpClient object. Instead of creating a new DefaultHttpClient (AFNetworking in iOS) for every request, hold onto it and reuse it, and your session cookies will be maintained.
Hybrid (JET, ionic, Angular, Cordova) application
- Use localStorage to store the user info after a successful login. On logout clear the localStorage.
Web-HTML5 apps
- Attribute-SessionStorage in HTML5: Can be used by the sites to add data to the session storage, and it will be accessible to any page from the same site opened in that window i.e session and as soon as you close the window, session would be lost.
Thanks and Regards,
Rohit
Answer
Old way of managing sessions is via cookies.
How it works? When your user enter username and password in your login screen, you give him a session cookie. This cookie is maintained every interaction within your user browser and your web site. You need to maintain this cookie in your server side. In addition to this session cookie, web sites hold additional information about user in server side session too.
What is problem of this approach?
Inherently, it is not scale-able.
If your user numbers are not high, you can hold this session cookies and additional information in one web server. But if user numbers are high, you need to solve with this with different approaches, like holding this session information in a database or session server.
What is new way of storing sessions
Modern browsers has a local storage capacity. This local storage is ideal for non-critical information for users. Session storage is one session only and when user closes browser (tab), it is deleted. Local storage is for one site, and you need to explicitly delete it or users may choose to delete it. Store any non-critical information here. If your users logs out from your site, delete them.
Hybrid (JET, ionic, Angular, Cordova) application
A Cordova application is no different from web browser. Here you are sure that your user is only user in this computer (mobile phone); therefore, use exclusively local storage.
Native (Android/iOS) application
Use sqlite to hold your all session information. Never use cookie authorization with native application, it is unnecessary and not scale-able. Use token authorization.
All applications.
For all applications use your login screen to get authorization token, for example JWT token and store it in your application.
- web application - local storage
- hybrid application mobile - local storage
- native application - sqlite
Read difference between cookie authorization vs token authorization here.
Confidential Information
Do not store any confidential information (password, credit card ..) in any of these storage. Store them in your database, and show them to user case by case.