Android

How to properly organize authorization on android?

Good afternoon, the essence of my problem lies in ignorance of the way the application interacts with the server correctly.
I started writing a messenger (you can say that it’s just for myself to practice)
In authorization, I have only entered the login and password, which are then sent to the local server using Http Post , where the php script sends a request to the database to select a user with such a login and password, then there is a check, if the string is not empty then ....., if the string is empty then ....... .
I don’t know what to do in the place of these points, as I understand it, you just need to lay out a page that will go back to the application, parse it there and take the data I need, they say, if you find such and such a line that contains the user token , then there is a user, and if you find a line with the content - "There is no such user", then there is no such user, and then dance from this?
And yet, how to properly organize a session? Throw this token (which will be generated using a certain algorithm on the server side during registration, and recorded in the database) back and forth and each time check it and work through it?
Well, another question, as I understand it, basically in response to a request from the server in the case of android applications, there is not an html page, but xml?
Forgive me if the questions are stupid) I just googled and googled, but I didn’t find a reasonable answer for myself