Should a logged-in Android client receive auth-tokens on each request, or need to log-out/log-in for a new token?

0 投票
最新提问 用户: (120 分)

From a security perspective, should I avoid giving an Android client a new mobile auth-token until they logout (or token expires) and re-login?

Or is it ok to give the logged-in user a new token on each request, so they can stay logged in indefinitely?

I'm working on an Android app with a Rails backend, but I'm new to the Android part and trying to avoid glaring errors.


0 投票
最新回答 用户: (4.1k 分)

First option, you dont need and dont should generate new token in each request.

If you want to keep a good security lvl you can generate a guest token, and then a logged user token, and check if its User agent change in a request of same session.

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。