I am learning more about SharedPreferences and would like to understand how exactly everything is working. I have watched a decent amount of videos but I still have some questions.
- Upon a user logging in, I generate a random session ID using UUID. I then assign the user their session ID and save a session by passing the UserModel into a SessionManagement instance that handles SharedPreferences.
userModel.setSessionId(UUID.randomUUID().toString());
SessionManagement sessionManagement = new SessionManagement(LoginActivity.this);
sessionManagement.saveSession(userModel);
- When the user closes/opens the app, onStart() is called. It creates another instance of SessionManagement and checks if the session is null using getSession() to determine whether they're logged in or not.
SessionManagement sessionManagement = new SessionManagement(LoginActivity.this);
if (sessionManagement.getSession() != null) {
// go to some activity
}
And here is what SessionManagement constructor looks like:
private SharedPreferences sharedPreferences;
private final SharedPreferences.Editor editor;
private MasterKey masterKey;
//private String SHARED_PREF_NAME = "session";
private final String SESSION_KEY = "session_user";
private final String SESSION_USERNAME = "session_username";
public SessionManagement(Context context) {
try {
masterKey = new MasterKey.Builder(context)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
.build();
} catch (GeneralSecurityException | IOException e) {
e.printStackTrace();
}
try {
sharedPreferences = EncryptedSharedPreferences.create(
context,
"secret_shared_prefs",
masterKey,
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
);
} catch (GeneralSecurityException | IOException e) {
e.printStackTrace();
}
//sharedPreferences = context.getSharedPreferences(SHARED_PREF_NAME, Context.MODE_PRIVATE);
editor = sharedPreferences.edit();
}
My question now is, if I am just checking whether the session is null or not, how does SharedPreferences know that the sessionID corresponds to the user that initialized it in step 1?
What are the ways that people work around weak/exposed session ID's that a SharedPreferences implementation can protect against?
Is my implementation/flow correct?
Is it safe to save the sessionID to a user model?
I appreciate any help I can get with this topic!
CodePudding user response:
It looks like your implementation is using a combination of UUID and SharedPreferences to manage sessions for users. When a user logs in, you generate a random UUID and save it as a session ID, which is then associated with the user. When the user closes and reopens the app, you check the SharedPreferences to see if the session ID is still present, and if it is, you assume the user is still logged in.
To answer your specific questions:
SharedPreferences doesn't have any built-in way of knowing which user a session ID belongs to. It simply stores key-value pairs, and it's up to you to manage the relationship between the session ID and the user it belongs to.
There are several ways to protect against weak or exposed session IDs. One common approach is to use a combination of UUIDs and tokens, where the UUID is used to identify the session and the token is used to authenticate the user. This way, even if an attacker somehow gets hold of the session ID, they won't be able to impersonate the user unless they also have the user's token.
Your implementation seems to be correct, but it's always a good idea to review and test your code to make sure it's working as expected.
Saving the session ID to a user model is generally safe, as long as you take steps to protect the user's data. For example, you could encrypt the user's data before saving it to SharedPreferences, or you could use a secure database to store the user's data instead of SharedPreferences.
Overall, it's important to carefully consider the security implications of your session management implementation, and to take steps to protect against potential attacks. I hope this helps!