I have an Android application which makes requests to my webserver via both a WebView and an HttpClient. I sync cookies between the two using a CookieSyncManager. So far, so good.
When my application starts (inside onResume()), I run a piece of logic similar to the following:
if ( appHasBeenIdleFor30Minutes() ) {
CookieManager cookieManager = CookieManager.getInstance();
cookieManager.removeSessionCookie();
CookieSyncManager.getInstance().sync();
}
This correctly resets any session cookies that were set from the user's previous session. My question is: will this behavior happen periodically on its own? This question (android webview or browser not deleting session cookies on device reboot) seems to suggest that it does not. When I use the cookie-sync'd HttpClient via a Service it appears that session cookies are not cleared, thus resulting in strange server-side behavior.
I've been unable to find concrete documentation on the lifecycle of session cookies (expiration time=0) inside a WebView/CookieSyncManager - has anyone else had more luck?
I received a response directly from a Google engineer, who confirmed my suspicions:
You are correct, session cookies do not expire automatically in the
lifecycle of a WebView.
If you are seeing issues with this, you can always clear all of your
cookies or overwrite your session cookies explicitly with an empty value.
The code you have suggested looks like a good workaround, just be aware
that cookie synchronisation using a CookieSyncManager is not synchronous -
the startSync(), stopSync() and sync() commands are executed
asynchronously in a background thread.
TL;DR - session cookies do not expire when a WebView closes, you'll have to manage that yourself.
Related
I am attempting to Login to my app with JMeter Script.
I have Cookie Manager and a Cache Manager added
My Thread Group script
GET on main login page (/app) to return session id and form fields
and cookie
POST of completed form fields with cookie (/posthandler) with "follow redirects
What happens is
POST sends initial cookie (from GET) and form fields and logs in ok
the session is established (I see a record in our app database)
the response is a redirect with a new cookie
JMeter redirects (GET) to the session url (/app?session=xxxxx)
this goes with "[no cookies]" (according to request panel)
As that request arrives without the new cookies - the app issues a second redirect back to the login page.
So is there a way to force the GET Redirect after the POST response to send the cookie?
My theory is that JMeter is that, because of the different URI path for the POST and redirect GET, JMeter is not sending the cookie.
I have tried
various Cookie Manager settings (standard, default, compatibility).
followed this Understanding and Using JMeter Cookie Manager and set check.cookies=false.
and advice SO - JMeter: Login flow involving URL redirection not working including making sure there was an init
My problem was self-inflicted !
I was running against a different environment than usual which had a different context root e.g. /test/app rather than /app. For this I amended my ${Domain} User parameter with "my.domain.com/test" rather than adjust all the Path settings.
For requests sent this approach appeared to work as the ${Domain}+${Path} resolved to the correct URL - but the Cookies created by the server were for ${Path} (as in /test/app) and JMeter was seeing this differently (as in /app).
I have now introduced a ${CtxRoot} User variable (set to /test/) and prepended this to all my Path values - and my Login is now working.
Amazon has an administration page for content sent to your Kindle. This page uses an undocumented HTTP API that sends requests like this:
{
"csrfToken":"gEABCzVR2QsRk3F2QVkLcdKuQzYCPcpGkFNte0SAAAAAJAAAAAFkUgW5yYXcAAAAA",
"data":{"param":{"DeleteContent":{"asinDetails":{"3RSCWFGCUIZ3LD2EEROJUI6M5X63RAE2":{"category":"KindlePDoc"},"375SVWE22FINQY3FZNGIIDRBZISBGJTD":{"category":"KindlePDoc"},"4KMPV2CIWUACT4QHQPETLHCVTWEJIM4N":{"category":"KindlePDoc"}}}}}
}
I made a wrapper library for the previous API they used, but this time they have added CSRF tokens, making each session unique. That is a bit of a show stopper, and I was wondering how I can get hold of these tokens. I did not find it in the cookies. This is for use in a Chrome Extension, so issues like CORS is not an issue.
Actually, after manually going searching the Response tab of each request in the "XHR" and "Doc" tab, I was able to find out that this token is set in an inline script in the myx.html (main page):
var csrfToken = "gPNABCIemSqEWBeXae3l1CqMPESRa4bXBq0W7rCIAAAAJAAAAAFkUlo1yYXcAAAAA";
This means it is set on the window object, making it available for all there. I guess this means a Chrome extension would need to fetch this page and manually parse the html to retrieve this token. Sad, but doable, although highly fragile :-(
I am trying to communicate to a RESTFul API using MATLAB. the API uses session cookie to remember the user. My MATALB is 2015b and as long as I know, it does not support the new HTTP Interface.
my problem is that using the webread and webwrite functions in MATLAB, the session cookie is not attached to the request and therefore each time server generates a new session.
I tried to use urlread2 to read the session cookie and generate a new one with the same content, for sending back to the server, but the session cookie is HTTPOnly and therefore my generated cookie is not valid for the server.
Can anyone help me with an idea or solution? does MATLAB 2016b forward the session cookie automatically (using HTTP interface)?
I was able to find a solution to this problem:
first problem is to get the cookie info in MATLAB. versions earlier than 2016b are probably not able to do it, so I had to use for it:
[output,extras] = urlread2('http://www.example.com/','GET');
cookie = extras.firstHeaders.Set_Cookie; % make sure to get the content of the right session cookie
now that we have the cookie, let's add it to the |weboptions| like this:
opts = weboptions('KeyName','Cookie','KeyValue',cookie);
and now simply every time that you use |webread| or |webwrite| , attach the |opts| to it:
response = webread('http://www.example.com/',opts);
But using this method, it is very easy to do XSS attacks on websites that use HTTPOnly cookies for session management! unlike all the web browsers, matlab allows you to edit or create HTTPOnly cookies! more info here
Is there a way to go to a url without redirecting to it? Basically I want to call a url from within my application in the background so it can logout a reliant party.
Appreciate the help.
What you are trying to do does not compete us to answer as it's directly related to your own Authentication implementation.
A normal ASP.NET Authentication based in Forms Authentication you will need always to lunch the url from a browser as it is there that relies the Authentication given.
You can give yourself a try by opening your website and log in into it, after that, open other browser brand (not browser window) into your application url... you will see that you also need to login again as the Authentication is hook up into the first browser.
It's Up to you as Application Architect to make this by implementing another way of authentication, normally in this kind'a cases, this happend when consuming web services where you need a authentication code first (given by calling a Login method) and that code is always needed to be appended to the body or header of any call to the system.
This way you can easily remove the authentication code and all procedure calls will fail.
As said, this is not up to us, it's up to you to create the correct Authentication Layer.
from your comment
it's as simple as using WebClient object
WebClient client = new WebClient ();
string reply = client.DownloadString (address);
If you wish to transfer to a new url request you can still use
Server.TransferRequest()
The problem with this is that by not using a redirect the browsers address bar will not reflect the fact that you have moved their request to another URL.
To have the client visit a given URL in the background you should either make an AJAX call to it or possibly have an image with an src of your logout url (though you'd have to make sure that you return a FileResult of your image too). This is how most analytics packages call to their relevant urls in the background.
The problem here though is that neither is 100% reliable, turn off javascript or images on your browser and these results fail.
From what you've said I think what you're after is for a user to continue to any of a variety of pages rather than a specific logout page. If this is indeed the case your best solution is in fact a double redirect.
Have your application redirect to your logout url but before hand put the url of the page you want them to go to into tempdata. Then in the actionresult for the logout page you can do your logging out as required and return a redirect to the url from tempdata.
I have a use case where a UIWebView may need to connect with a web server secured with NTLM. I also have a use case where I already have the credentials to be passed. So instead of forcing the user to enter them, how do I perform the handshake with the UIWebView?
UPDATE:
Using this method here works well enough when you are doing simple GET requests, but utterly fails when doing POSTs, for the mere fact that it is doing a GET after it is posted.
The ASIHttpRequest and ASIWebPageRequest have the same problem. GET requests work wonders, but any POSTs just don't work. If only the world worked on just GET requests.
I have been able to use this method of including the username and password in the HTTP request string, but that is so grossly insecure as to defy reason for using it. Using a sniffer I am able to see the three-way handshake occur without any problems on both GET and POST requests.
You can set the default credential:
NSURLProtectionSpace *protectionSpace = [[NSURLProtectionSpace alloc]
initWithHost: _host
port: 80
protocol: #"http"
realm: _host
authenticationMethod:NSURLAuthenticationMethodNTLM];
[[NSURLCredentialStorage sharedCredentialStorage] setDefaultCredential:[NSURLCredential credentialWithUser:_username password:_password persistence:NSURLCredentialPersistenceForSession] forProtectionSpace:protectionSpace];
Now you can let your webviews do the request, and when it encounters your protenctionSpace it logs in using the given credentials
As of iOS 3.2 and 4.1, there is no public delegate for intercepting the NTLM challenge. There is, however, a private API that can be overriden to give proper support for this. Since this would put your application in danger of being rejected, I will forgo posting the code because it is of no worth for App Store development at the present time.
If you're willing to try some experimental code, you could use ASIWebPageRequest.
It would be a bit hacky, as you'd have to download the page content with ASIWebPageRequest, load it into a UIWebView, then capture any link clicks in the web view and repeat the process again (if the content at the URL requires authentication). Also, I think you'd have to manage your own history stack.
I don't think it would be easy, but it does seem doable, and it seems like it should work as long as the ASIWebPageRequest code isn't too buggy or limited.
UIWebView doesn't support authentication at all. Up to iPhone OS 3.1, you could add credentials to the central credential storage and UIWebView would at least work with basic authentication. But starting with iOS 4.0, I don't see any way to use authentication (except cookie or URL based forms authentication).