Hi all,
I'm creating an mobile app where people can share all kinds of things with each other. The shared data is stored in an external database which is queried by some php scripts on a web server.
The problem I'm facing is that ANYone could query this database just by creating a simple http request to my web server. How can I (or actually the web server) be sure that the request comes from a verified user and not some random person on a computer trying to steal or corrupt data from the database?
Some things I was having in mind, but still sound like bad practice...
Every time a user makes a request to the web server it has to pass a username and password to verify the user.
When a user logs in for the first time the web server creates a random 'key' which is stored in the database together with the user info. The key will also be send to the user's device and stored locally. On any further requests from user to web server this key also needs to be send and verified with the user. An attacker would now need a 'key' combined with a user id to break in the database.
A side note: I'm making use of a SSL connection, so the data transferred should be secure.
Hope to hear from you!