How to pass the password correctly?

S

StynuBlizz2017-01-24 08:58:10

Android

StynuBlizz, 2017-01-24 08:58:10

Please let me know if this is the correct way to do this :

the data entered by the user (the password is not encrypted, transmitted as is) is sent via HTTPS to the server
upon arrival at the server, the data is stored in the database (the password is hashed before being entered into the database)

And the scheme of work when entering the account :

unencrypted data is also transmitted over HTTPS
upon arrival at the server, they are checked for validity with those that are in the database
if they are not valid, then a signal is sent to the user that the data entered is incorrect
if they are valid, then here I have a second question: what to do next?< /li>

PS The client is an Android application
PPS Don't forget about the first question "is this scheme correct?"

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

I

Ivan, 2017-01-24
@StynuBlizz

In general, everything is correct, if the application needs super protection, then there is no point in dealing with encryption when sending.
As for what to do next:
My only suggestion is to generate some kind of token (key) from the server side, upon successful authorization, then transfer this key to the user on the device, save this key and make all subsequent requests using this key. If this token is invalid, the user should be thrown out.

A

Alistair O, 2017-01-24
@box4

maybe leave it to google and facebook with vk? thereby increase the audience, because many are too lazy to create a hundredth login and password.