Hey guys, I have a few questions about implementing a login feature in Android.

1. Does android have anything like sessions or cookies? How should I 'remember' that the user is loged in? Obviously I don't want to ask for the password every time my application is used!

2. Should I hash the password before sending it to the server? I have a table in my database with a user and password column. When I want to check the login, should I send the password hashed to the server like login.php?u=sled&p=34819d7beeabb9260a5c854bc85b3e44, or just plain text like login.php?u=sled&p=mypassword and hash it on the server before I perform the authentication?

Does android have anything like sessions or cookies?

Yes. There are two alternatives.

Option #1:

You can use CookieManager to set your cookie.

Option #2:

The other alternative (I'm using this alternative in one of my applications) is to grab your cookie after you've sent your username and password to the server (e.g. via HttpPost or HttpGet). In your question you're using $_GET style of your login authentication, so my sample code will be using HttpGet.

Sample code using HttpGet:

HttpParams httpParams = new BasicHttpParams();   

// It's always good to set how long they should try to connect. In this
// this example, five seconds.
HttpConnectionParams.setConnectionTimeout(httpParams, 5000);
HttpConnectionParams.setSoTimeout(httpParams, 5000);

DefaultHttpClient postClient = new DefaultHttpClient(httpParams);           
// Your url using $_GET style.
final String url = "www.yourwebsite.com/login.php?u=myusername&p=mypassword";
HttpGet httpGet = new HttpGet(url);
HttpResponse response;

try {   
    // Execute your HttpGet against the server and catch the response to our
    // HttpResponse.
    response = postClient.execute(httpGet);

    // Check if everything went well.
    if(response.getStatusLine().getStatusCode() == 200) {   
        // If so, grab the entity.          
        HttpEntity entity = response.getEntity();

        // If entity isn't null, grab the CookieStore from the response.
        if (entity != null) {
            CookieStore cookies = postClient.getCookieStore();  
            // Do some more stuff, this should probably be a method where you're
            // returning the CookieStore.    
        }                   
    }

} catch (Exception e) {
}

Now when you have your CookieStore; grab a list of cookies from it and after that you can use Cookie to determine the name, domain, value etc...

Next time you're trying to access "locked" content of your website; set a cookie to your HttpURLConnection from your Cookie information:

URL url = new URL("www.yourwebsite.com/lockedcontent.php");

HttpURLConnection httpURLConnection = (HttpURLConnection) url.openConnection();

httpURLConnection.setInstanceFollowRedirects(false);
// "Host" and "Cookie" are fields in the HTTP response. Use WireShark
// via your computer to determine correct header names.
httpURLConnection.setRequestProperty("Host", domainOfYourCookie);
httpURLConnection.setRequestProperty("Cookie", valueOfYourCookie);

final int responseCode = httpURLConnection.getResponseCode();

// And get the content...

Should I hash the password before sending it to the server?

Depends on how your system is designed. You must have correct information when sending it to your server. This also depends on how you're hashing your information in your .php file.

How should I 'remember' that the user is loged in?

Store the information in a SharedPreferences or something. Like I said earlier, you can hash it if your login system is correctly designed - this depends on how you're hashing it in your .php file.