Lets say you have a web app related Android app that requires the user to login in order to use it. The user logs in, in the Login screen activity and then proceeds to other activities. Each time the user starts an Activity, the app checks his login credentials again (The credentials are stored in a central database somewhere).
As the user jumps from one activity to another, lets pretend that the user's login credentials are revoked from the service. The next time the user visits an Activity, the app will see that he no longer has access. The app should now kick the user back to the login screen Activity.
But since there is already a stack of Activities that the app has created as the user used the app, how do you get the login screen. Do you kill/destroy all Activities until you reach the login screen Activity (which should be the Activity at the bottom of the stack for the app)?
Or do you start a new Login Screen Activity and go straight to that?
Or should I call the Login Screen Activity with the FLAG_ACTIVITY_CLEAR_TOP passed through the intent?
After the user is able to login the second time (lets say he got his credentials reinstated), if the Activity is now the only one in the stack, pressing the back button will take him out of the App, as opposed to going back to what he was doing before having his credentials revoked. What is the best approach to this?
My personal choice is to set up all of your activities (besides the login activity, of course) to check the user's credentials in onResume() (I do this by inheritance, with all of my Activities inheriting from an abstract AuthorizedActivity, but do what works for you). If the user does not have credentials (either because they don't have them or they've been revoked) then I startActivityForResult() the login activity. If the LoginActivity returns a valid user, all is well. If the user is a valid but different one from who was logged in before, I take them to my root activity with FLAG_ACTIVITY_CLEAR_TOP. pressing the back button from the loginActivity does them no good, as the app will bounce them straight to home.
I find that the approach gives me flexibility in deciding when and how I will check/revoke credentials, even if they leave (briefly) the application.
Login screen activity with FLAG_ACTIVITY_CLEAR_TOP will work but will remove all of the user's history. Do you care if they renew their credentials and then press back? Should that preserve their history?
You may consider FLAG_ACTIVITY_SINGLE_TOP and FLAG_ACTIVITY_NO_HISTORY for the login activity.
If you want all previous tasks to redirect to the login screen, you'd make sure to do the check in onResume so that they can't go back through the stack after having permission revoked.
Keep in mind that you can also set these flags on the <activity> element in the manifest.
