How would I go about creating a login

The set-up: I have an android application that so far can register a user by inserting values into a remote mysql database. I'm now trying to implement the log in.

I was thinking that I can add a "logged in" column to the user table in the database that would store whether or not the user was logged in. Then I would have a trigger that would log the user off after a certain amount of time has been elapsed.

The application's use is to retrieve files based upon if the user has access to a certain file. For this I have an "access" column in the user table table specifying the access a user has to a certain file. I was thinking that when a user clicks an item in a list the application woul开发者_如何学Cd send their login information and the server would determine if the information was correct then check to see if they had access to the specified file then send back the file if the information is correct.

The problem I'm having though is that checking the registration information takes about 2 seconds alone(due to connecting to the socket and sending a string over the network) and if I try to check both the login and the access id it would take slightly longer.

I feel as if I'm trying to reinvent the wheel but I can't find any viable resources on this matter. Criticisms? Suggestions?

(I wouldn't mind doing a complete redesign I just need to know where to start)

---

Never connect a client to a db-server. There's no way to intercept hacking attempts, because privileges are very basic (SELECT, UPDATE, etc., they ignore the query):

UPDATE users SET name='%s' WHERE userID=%i // where %i will be defined as the real userID

Above should be a valid query to update the user's account-information, however, a hacker can easily intercept this and change it into:

UPDATE users SET name='%s' WHERE userID=15 // ... or any other variable

Instead, you should create a web based API which will validate each query, or better, support only specific API-commands:

account/update.json?name=%s