Hi,

I am working on a multiplayer card game and thinking about how I handle the login.

The connection to my backend happens automatically.

When creating a new account, I wanted to create a token and send it to the client.

I have taken the timestamp and these hashed with the UUID in SHA.

But that does not seem the best solution to me.

In Android, I can use the account manager to generate a token, but then a message prompt.

Clash of Clans uses a system to detect clients without login or message prompt and

use facebook or google+ just for transfering the account.

What is the best practice to detect my clients without an active login or message promp ?

Depends on the features and security you need from your login system.

To totally avoid user interaction, in a simple scenario you could:

1. Read the device unique ID, or generate and cache a random UUID.
2. Send that to your server.
3. Server identifies the client and ties them to an account for identity and data segregation. This may allow you to later add account recovery on new devices, perhaps.
4. Server replies with a session token.

If you want to avoid having a server-side session store you could return something like a JSON Web Token. This is generally better than a SHA hash because you can use the token contents (account ID, time of login) but still verify the token crypto hash to check it's a real token issued by your server.

There are a bunch of other ways you could try, but these are fairly simple and popular.

Hope this helps!

Source: I'm one of the engineers at Heroic Labs, we've seen a lot.