How can I maintain player session?

Hi, I implemented a user register/login system with php and mysql. By now it creates the users and identifies correct credentials (hopefully in a secure way). However, after this comprobation, I don't know exactly how should I handle the later connections to the database.

The first approach I can think of is to store the password (in a local variable in Unity) an check the credentials each time I need to connect to the database. (Very bad idea I guess)

However, if I don't use the password and just the username (obviously after the login), would it not be too easy to get other's data without passwords? (A little reverse engineering, get the url, change the username...)

 

Storing the password is indeed a very bad idea.

You should store a token generated by the server that is linked to the user. That token should be something that can be removed server-side and force the player to log in again, for security reasons. Whether or not you intend to allow multiple valid tokens for a single account is up to you.

In the client, it'd be best if this token wasn't stored in plaintext, but no matter how you store it, people *can* decompile your app and access that token, so that's something to be aware of.

 

I might suggest that clients should never connect directly to a database. If you have 500 concurrent users, you have 500 db connections! Instead, use a web service that the client connects to, and then use a single connection to the db.