Web and Mobile Session Management
The length of a web browser session varies from website to website, but the default is typically 30 minutes. For usability reasons the default for mobile apps is much longer. A mobile user would not expect to have to log in to the same app more than once or, at most, twice a day. Most apps allow the user to remain logged in for days at a time.
The lifecycle of an Android app means that it can go into the background and be restarted as long as the user doesn’t intentionally stop it by removing it from the list of active apps.
There seems to be a perception that mobile apps should allow you to stay logged in permanently, but this isn’t secure. Choose a reasonable session timeout for your Android app. If it’s a ...
Get Bulletproof Android™: Practical Advice for Building Secure Apps now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
