Remember User's Username and password

Hi everybody,

I’m using parse.com for my back end. 

In my app I have a login form. When the User inserts username and password can goes inside the app.

But i want that the User has already logged in at least once goes inside the app when the app starts, without inserting any time username and password, maybe just after a logout.

To do that I save the username and password in a txt file and the app clean the file when the user taps on logout.

When the app starts reads the txt file and if there are username and password go inside the app else if the txt file is empty the app shows a login form and so on.

This system works correctly, but the question is: is this a correct way to do that or is there a more professional way to implement this feature?

Generally, it’s bad to save the user’s username and password in plaintext, even on the user’s phone. Theoretically somebody could obtain the phone, look through the files on the system and find your app that has the username and pw in plain sight. Then they could use the password to try and gain access to different services, because most people use the same password for multiple things.

Parse has a way around this with the session token. You can authenticate calls to Parse with the user’s session token, without the need to store username and password. However there is one big security flaw with the way Parse handles session tokens, they never expire! Even when the user logs out or changes their password, the session token always remains valid. Theortically the thief mentioned above could obtain this session token and pretend to be that user, and gain access to all the info that the user has in your Parse database (except for their password! Thankfully Parse hashes those before saving.)

So what’s the best thing to do? I’m not entirely sure, but you could probably encrypt the session token before saving it. This is not foolproof though because somebody just needs to decompile your app package and they will be able to see your encryption key along with your Parse API Key and any other secure keys that you stored in your code. There is no way to stop a determined hacker.

Probably the most secure thing you can do is have the user login every time they open your app. But that would be very annoying.

One last thing, if you’re not already using it, you should check out mod_parse. It makes working with Parse very easy in Corona.

Hi Vince,

thank you very much for your reply.

I’ll let you know any developments.

Thake care

I tried to use the “Vince’s method”. Everything works good. To resume: when some user logs in, the session token is saved in a txt file. 

When the users logs out the app clears the txt file. When the user starts the app, if a txt file is empty the log in form appears otherwise the user can use the app without loging in before.

In this way username and password are not saved in any file.

Correct me if there is some error.

One last thing, if you’re not already using it, you should check out mod_parse. It makes working with Parse very easy in Corona.

Yes, I’am already using mod_parse. I have just some problem to write “Parse compatiable query table”, is there someone who can explain to me the syntax of the query table?

Generally, it’s bad to save the user’s username and password in plaintext, even on the user’s phone. Theoretically somebody could obtain the phone, look through the files on the system and find your app that has the username and pw in plain sight. Then they could use the password to try and gain access to different services, because most people use the same password for multiple things.

Parse has a way around this with the session token. You can authenticate calls to Parse with the user’s session token, without the need to store username and password. However there is one big security flaw with the way Parse handles session tokens, they never expire! Even when the user logs out or changes their password, the session token always remains valid. Theortically the thief mentioned above could obtain this session token and pretend to be that user, and gain access to all the info that the user has in your Parse database (except for their password! Thankfully Parse hashes those before saving.)

So what’s the best thing to do? I’m not entirely sure, but you could probably encrypt the session token before saving it. This is not foolproof though because somebody just needs to decompile your app package and they will be able to see your encryption key along with your Parse API Key and any other secure keys that you stored in your code. There is no way to stop a determined hacker.

Probably the most secure thing you can do is have the user login every time they open your app. But that would be very annoying.

One last thing, if you’re not already using it, you should check out mod_parse. It makes working with Parse very easy in Corona.

Hi Vince,

thank you very much for your reply.

I’ll let you know any developments.

Thake care

I tried to use the “Vince’s method”. Everything works good. To resume: when some user logs in, the session token is saved in a txt file. 

When the users logs out the app clears the txt file. When the user starts the app, if a txt file is empty the log in form appears otherwise the user can use the app without loging in before.

In this way username and password are not saved in any file.

Correct me if there is some error.

One last thing, if you’re not already using it, you should check out mod_parse. It makes working with Parse very easy in Corona.

Yes, I’am already using mod_parse. I have just some problem to write “Parse compatiable query table”, is there someone who can explain to me the syntax of the query table?