I'm creating an android app that allows people to register via Facebook Account Kit.
Facebook Account Kit
returns a Token to me after the user has been verified (via SMS).
After this I get the user's facebook id
and phone number
.
I use the user's facebook ID
as a user ID
in my application.
At the moment, when I need to get user data from the database and have to show it on the app, I use a hidden field in the app to send the user ID
to the PHP
file to filter the data.
Many have told me that it is not recommended, they told me to send a Token
to the PHP
file and then get the user id linked to that token
.
I can't understand a few things:
1) The Token
must be associated to the user's ID
address, could I save them in the same MySql
table or could I do it in another way?
2) When the Token
expires what happens? I have to log in the user again and save the new Token
on the MySql
table.
But to do this I will have to specify that it will be saved in the line where the user ID
is the same as the user ID
and then send the user ID
from the app
again.
3) To login
, I request the phone number
and the user ID
, I will have to send them from the app to the PHP
file that checks whether the user exists or not, but so I return to the initial problem, ie send the user's ID
and the phone number
from the app
to the PHP
file.
The user ID
and phone number
are not saved in the app
, but when I need them I request them through the Facebook Account Kit API and insert them in EditText
.
Do you think what I do is safe?
Do you recommend a more valid alternative for securing my users' data?
But above all if you have to reproach me for something about my question, do it, maybe I misunderstood the operation of the tokens
and what I asked is wrong.
Feel free to tell me what you think.
Thanks a lot.