I created a responsive app and a native app: the native app is basically just a UIWebView containing the responsive app.
How can i check on server side (php, etc..) where the request comes from?
Is there any possibility to modifiy requests sent from UIWebView or something else?
I see two possible approaches:
URL parameter
You could have a parameter in your URL to indicate the source of the request.
For instance, if the URL if your web app is
http://myserver.com/mypath
you could use the following URL in your native app's UIWebView:
http://myserver.com/mypath?src=native
On server side, you can retrieve this paramerer, e.g in PHP:
$src = $_GET['src'];
if ($src == 'native') {
// Request from native app
}
If your app has multiple pages, then you should modify the way your links are created to propagate this parameter when navigating from one page to another one.
Cookie
In the native app, you could manually set a custom cookie which would be sent along your requests and which you would retrieve on server side.
The following post may help you for that: Is it possible to set a cookie manually using sharedHTTPCookieStorage for a UIWebView?
Related
From an UI5 application I send a request to a server-side via Fetch API and on the server-side I send a response with a redirect to the UI5-app root directory:
import {constants as httpConstants} from "http2";
res.statusCode = httpConstants.HTTP_STATUS_MOVED_PERMANENTLY;
res.header("Location", "/");
The UI5 application gets the response but browser doesn't redirect an user. The only way to redirect an user to the app root is:
sap.m.URLHelper.redirect("/", false);
Is there any way to force a browser to redirect an user to an UI5-app root without using sap.m.URLHelper? I want to make as hard as possible the prevention of redirection, e.g. with a help of browser's DevTools.
UI5 routing is currently using the # part (called fragment or anchor).
This is client side part of the URL and unknown to the server.
You have maybe luck with some backend technologies and browser, but in general this will not work.
As DevTools can manipulate anyways anything… Make sure backend is secure. UI can always be change by the user, no matter what obscure security measurements you make up.
You can try using the HashChanger to route it back to login page!
Once your validation from server is done, use below code!
jQuery.sap.require("sap.ui.core.routing.HashChanger");
sap.ui.core.routing.HashChanger.getInstance().replaceHash("");
I am writing a mobile iOS application, which communicates with a Pyramid app on the backend. I am currently using Pyramid's built-in AuthTktAuthenticationPolicy.
I've met some speed bumps while attempting to authenticate via a mobile client (iPhone). For starters, how would I send and retrieve the auth_tkt cookie that is set by Pyramid.
I understand how this works with a web browser, but, if I want to send this "auth_tkt cookie" in the HTTP response, how can I accomplish this? How do I actually get the auth_tkt secret string. For example, what if I'd like to return it in the JSON body or a custom header of my choosing rather than as the cookie set by Pyramid's remember function?
Secondly, in future requests sent by the client what header do I set with the auth_tkt secret string so that Pyramid recognizes it and appropriately authenticates the client?
Using the Pyramid Helper Classes here, it looks like you can create your own auth_tkt and access it as well. Example from docs:
token = AuthTicket('sharedsecret', 'username',
os.environ['REMOTE_ADDR'], tokens=['admin'])
val = token.cookie_value()
The headers is a webob ResponseHeaders object, it derives from webob multidict. You can get it value by using this:
set_cookie = request.response.headers['set-cookie']
You can refer this link: webob multidict
I have html code containing FB profile pictures/clicable and etc/.
Using
fb:profile-pic and FB.XFBML.parse
I receive image url with HTTP. To have HTTPS I'm using:
https://graph.facebook.com/user_id/picture?return_ssl_resources=1
but have to generate code to make image clickable and add other attributes existing in fb-profile-pic.
I wrote this code 4 months ago.
Now I'm seeing fb:profile-pic is returning HTTPS link to image. Nothing is mentioned in FB documentation about change in behaviour/HTTP or HTTPS/.
Does anybody know about current state FB.XFBML.parse - secure or non secure links?
By default the protocol of the returned profile picture URL is the same as the protocol used to request the image.
So https://graph.facebook.com/zuck/picture will return the SSL version of Mark’s profile picture, while http://graph.facebook.com/zuck/picture will return an HTTP URL.
return_ssl_resources can be used with both, with value 0 for an HTTP and 1 for an HTTPS URL.
Does anybody know about current state FB.XFBML.parse - secure or non secure links?
I think the JS SDK should be able to decide this automatically, based upon the protocol the embedding page was requested with.
Is there a way to go to a url without redirecting to it? Basically I want to call a url from within my application in the background so it can logout a reliant party.
Appreciate the help.
What you are trying to do does not compete us to answer as it's directly related to your own Authentication implementation.
A normal ASP.NET Authentication based in Forms Authentication you will need always to lunch the url from a browser as it is there that relies the Authentication given.
You can give yourself a try by opening your website and log in into it, after that, open other browser brand (not browser window) into your application url... you will see that you also need to login again as the Authentication is hook up into the first browser.
It's Up to you as Application Architect to make this by implementing another way of authentication, normally in this kind'a cases, this happend when consuming web services where you need a authentication code first (given by calling a Login method) and that code is always needed to be appended to the body or header of any call to the system.
This way you can easily remove the authentication code and all procedure calls will fail.
As said, this is not up to us, it's up to you to create the correct Authentication Layer.
from your comment
it's as simple as using WebClient object
WebClient client = new WebClient ();
string reply = client.DownloadString (address);
If you wish to transfer to a new url request you can still use
Server.TransferRequest()
The problem with this is that by not using a redirect the browsers address bar will not reflect the fact that you have moved their request to another URL.
To have the client visit a given URL in the background you should either make an AJAX call to it or possibly have an image with an src of your logout url (though you'd have to make sure that you return a FileResult of your image too). This is how most analytics packages call to their relevant urls in the background.
The problem here though is that neither is 100% reliable, turn off javascript or images on your browser and these results fail.
From what you've said I think what you're after is for a user to continue to any of a variety of pages rather than a specific logout page. If this is indeed the case your best solution is in fact a double redirect.
Have your application redirect to your logout url but before hand put the url of the page you want them to go to into tempdata. Then in the actionresult for the logout page you can do your logging out as required and return a redirect to the url from tempdata.
I need to include some secure (BASIC authentication) application.
when I open the application URL in the browser, the browser asks me to enter your credentials ...
what I know is that:
The browser ask the server to get
some URL -- the url of the app
The server checks the request header
for the Authentication header and
didn't find it
The server sends 401 to the
browser back
The browser interpret this response
code into a message dialog that
shows to me asking me to enter the
username/password to send back to
the server in the Authentication
request header
So far... so good, I can write some page (in JSP) that send this required http request header to the request that is calling this page..
So I'll call this application through my page..
The problem here is, this application (in fact a GWT application) contains a reference to some Javascript and CSS files that is coming from the server that hosts this application. the application page that I import looks like:
<html>
<link href="http://application_host/cssfile.css" />
<link href="http://application_host/javascriptfile.js" />
.....
</html>
So, again I found the application asks me for the authentication crenditals for the css and js files!
I am thinking of many solutions but don't know the applicability of each
One solution is to ask the browser
(via Javascript) to send the request
header (Authentication) when he
asks the server for the js and css
files
please give me your opinions about that... and any other suggestions will be very welcomed.
Thanks.
I think you're running into some weirdness with how your server is configured. Authentication happens in context of a authentication realm. Your assets should either be in the same authentication realm as your page, or (more likely) should not require authentication at all. The browser should be caching credentials for the given realm, and not prompt for them again.
See the protocol example on http://en.wikipedia.org/wiki/Basic_access_authentication
Judging from your story, something tells me your problem is with the authentication method itsef. Not how to implement it. Why do you want to bother with the request header so much?
As far as i know, you can configure your container (ie Tomcat) to force http authentication for certain urls. Your container will make sure that authentication has taken place. No need to set http headers yourself whatsoever.
Perhaps you can explain a bit better what you are trying to achieve, instead of telling implementation details?
Why css & js files are kept in protected area of server? You need to place files into public area of your server. If you don't have public area, so you nead to prpvide for it. how to do it depends from serverside software architecture & configuration.