Some server client keys design issue
I need some advise.
I have a mobile application (Android) and a WebService for it.
When application starts first time - user does some registration process. Then he has a username(Unique). The server give the user a unique userId for internal purposes.
In some features of the application - the user sends requests to the webservice that needs the UserId.
I thought to sends for these request the username and not the userId - meaning that the application will never have the internal userIds, always send the username and the webservice will find the userId itself..... Guess it is better for security issues, disadvantage is that it ta开发者_StackOverflow社区kes more time in the server side.
Any ideas? Comments?
For me it makes more since to store both in the android application and use the userid to make requests. I'm not aware of any unsecure aspects of sending the userid. If anything it seems less secure to accept a username because anyone has access to the list of usernames and if they found the service endpoint could possible figure out how to send it someone else's username and retrive info. The userid on the other hand is hidden from the users.
精彩评论