In ThunderRAR v1.0, session data flows entirely through AndroidDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Viruz7w7/thunderRAR/llms.txt
Use this file to discover all available pages before exploring further.
Intent extras rather than a persistent store. When an employee completes registration in activity_registro, their username and password are attached to an Intent that launches MainActivity. The login screen then holds those values in memory as instance variables for the lifetime of the Activity, comparing them against the credentials the employee types into the login form when they attempt to sign in.
Session flow
Registration — credentials are packaged into an Intent
The employee fills in a username and password in A short
activity_registro. When they tap the submit button, the enviar(View) method validates that neither field is empty, then creates an Intent targeting MainActivity and attaches the credentials as extras:Toast confirms successful registration before the transition.Login screen — extras are received and stored in memory
MainActivity.onCreate() is called with the incoming Intent. The extras are extracted immediately and stored as private instance variables on the Activity:MainActivity instance is alive.Login attempt — form input is compared to stored extras
When the employee submits the login form, If either stored extra is
inicioSesion(View) reads the current values of the username and password EditText fields and compares them to the stored extras:null (i.e. the user reached the login screen without registering first), the method shows a prompt to register and returns early.Intent extras reference
The following extras are written byactivity_registro.enviar() and read by MainActivity.onCreate().
| Key | Type | Description |
|---|---|---|
"dato" | String | The employee’s chosen username (plain text). |
"dato2" | String | The employee’s chosen password (plain text). |
inicioSesion runs, the user is prompted to complete registration before attempting to sign in.
Limitations in v1.0
The Intent-extra approach is straightforward to implement but carries several practical limitations that matter for any production deployment.- Credentials exist only in memory. Once the
MainActivityinstance is destroyed,datoUsuarioRecibidoanddato2PasswordRecibidoare lost. There is no way to recover the session without going through registration again. - App close or force-stop clears the session. If the user navigates away and Android kills the process, the stored extras are gone.
- Screen rotation may recreate the Activity. Unless the
Intentis re-delivered (which Android does on a standard relaunch from the back stack), rotating the device can set both instance variables back tonull. - No token or persistent session. There is no session token, cookie, or shared-preferences flag that survives beyond the current process lifetime.
- Single-user model. Only the most recently registered set of credentials is held in memory; the app cannot distinguish between multiple employees on the same device.
Recommended improvements
The following changes would bring ThunderRAR’s authentication layer up to production standards.- Persist credentials in SQLite via
BaseDeDatosUsers. Write the registered username and a hashed password to theuserstable inBaseDeDatosUsersso that credentials survive app restarts and can be looked up at login time without requiring re-registration. - Use Android’s
EncryptedSharedPreferencesfor session tokens. After a successful login, generate a session token and store it inEncryptedSharedPreferences(part of the AndroidX Security library). Check for a valid token onMainActivity.onCreate()to auto-login returning users. - Hash passwords before storage. Apply a one-way hashing algorithm such as BCrypt or Argon2 to the password before it is written to the database or shared preferences. Compare hashes at login time rather than comparing plain-text strings.
- Avoid passing raw passwords through Intent extras. Intents can be inspected by other apps with the
READ_LOGSpermission on older API levels. Keep credentials out of the Intent system entirely once a database-backed flow is in place.