I understand that to access a remote database (SQL server) the typical way is through web services. Expose functions through the web service and access the web service through the app. My concern is how to verify a users credentials.
Example: User logs in, application transmits UN/PW to web service, web service determines if credentials are valid and returns a true for that username. Now I can store that he is logged in somewhere in the application and future transactions are to be that user. Perhaps add a timeout incase the device is left unattended or if you can catch it being put in 'sleep' mode somehow have that trigger re-verifying credentials. I have a sense as to how all of this works. However, could someone not see what site the web service is being accessed at through monitoring the packets? And then with some DNS redirecting host another service that takes the same parameters for the same function name and returns true regardless of the password. Then the app assumes he is logged in when he never verified credentials. Can people not determine location of web service through packet sniffing/other means? If they know the location of the web service, that gives them access to what functions are being called and what parameter types to pass. Would SSL protect this? Is there a better way to validate credentials on a remote database than through web services? -- View this message in context: http://mono-for-android.1047100.n5.nabble.com/Passing-Credentials-remote-database-tp5436362p5436362.html Sent from the Mono for Android mailing list archive at Nabble.com. _______________________________________________ Monodroid mailing list Monodroid@lists.ximian.com UNSUBSCRIBE INFORMATION: http://lists.ximian.com/mailman/listinfo/monodroid
