I have an application that may access authenticated content. I know that the webview can't handle authentication so I do some NSConnection magic to make it work (something similar to this)
The thing is that there is some content that can be accessible using this web view, but there is some other content that event after a sucessfull authentication, the web view is not able to load.
BUT.. if I enter the same url with mobile safari, enter the needed credentials and then I go back to my app, the WebView seems to load the content fine.
I tried reviewing the cookies before and after the auth in Safari is done using this code
[[NSHTTPCookieStorage sharedHTTPCookieStorage] cookies];
and the cookies are the same.
As far as I understand that code will retrieve the cookies my app generates and not the ones available in iOS, so apparently this is not the way to look for a hint...
Any ideas?
Recently, i've lurked for the same question over the internet, and the answer is "no" =(.
Objects of UIWebView class and Safari or other browsers live apart and are sandboxed.
Here is official position about cookies.
TO the best of my understanding, Cookies can not be sent with the first request from a Webview, but can be sent with subsequent requests to the same URL, if and only if, the first request was successful.
This causes problems with authentication services that require cookies to authenticate on the first request to the URL.
Possibly user credentials are stored via keychain api. Keychain is shared between apps, so stored login/pass in Safari can appear in your app UIWebView.Can you elaborate this as i also need this.
Related
I use asiHttpRequest library to do data get and post.
I have built a login function with it to login to my site, after that, if I launcher a URL from my app to use mobile safari app browse the site, it still remains not authenticated.
I guess the reason is that my app does not share the same cookie storage with safari, is that correct? is that possible I share the cookies with other apps, especially the Safari?
You can NOT share cookies in your App with Mobile Safari. As #erpayo said, it's in Sandbox.
Maybe add a UIWebView into your App is the best solution. Do not open an URL in Mobile Safari but open it in the UIWebView. It can get your cookies.
no, it's not.
Cookies are sandboxed.
Maybe you can make some server side tracking using query string parameters, but it will become a security hole
I made an application that uses UIWebView to display a site that uses basic authentication. It stopped displaying the content since iOS3.2 (on both iPhone and iPad).
My approach for authenticating users are:
create a NSURLConnection
implement didReceiveAuthenticationChallenge to provide the credential
implement didReceiveResponse to receive the response and load the request in a UIWebView, i.e. [webView loadRequest:]
Ever since iOS3.2, the authentication was broken; UIWebView doesn't seem to check against the shared credential storage any more.
For iOS4 on iPhone, I managed to work around this issue by, stupidly, including the login informatino in the URL (i.e. https://username:password#www.somesite.com) to the initial load request passed to the webView.
For iOS3.2 on iPad, that isn't enough. The initial request is authenticated all right, but the subsequent calls still aren't authenticated.
Any suggestions?
Use setDefaultCredential:forProtectionSpace: on the shared NSURLCredentialStorage
the Webview still uses the default credential, it does not work when you use setCredential:forProtectionSpace.
Maybe I'm missing something, but from Apple's documentation for NSHTTPCookieStorage, I can't help but wonder how this is safe to use.
Does this mean that cookie storage is shared across all apps on the iPhone? If my app makes an Http call that results in some cookies being saved, do all apps now have access to these cookies?
Methods like:
cookiesForURL: Returns all the
receiver's cookies that will be sent
to a specified URL.
make it look even more suspicious.
Can someone explain how this is OK, and what the class does?
Also, assuming my understanding is flawed and this is indeed sandboxed per-app, do calls made using NSURLRequest automatically save/retrieve cookies from this store or is it the developers responsibility to set request headers before dispatching the request?
Your application only has access to cookies within its own sandbox.
From http://developer.apple.com/iphone/library/documentation/Cocoa/Conceptual/URLLoadingSystem/Concepts/URLOverview.html:
iPhone OS Note: Cookies are not shared by applications in iPhone OS.
I guess you're confused by the fact that you can access cookies from other domains/urls.
That's is technically true because your native app is "a browser" when you use UIWebView.
If you load www.siteA.com and www.siteB.com in your UIWebView, both domain's cookies are available to your objc code.
All apps, including mobile safari has it's own CookieJar and none of them can access the other one.
I have an iphone (jqtouch based) web app that uses cookies for authentication. The use flow is as follows :
user goes to the mobile landing page and is instructed to save the page as a bookmarklet on their home page.
they launch the bookmarklet to go to a login page to login and get a cookie.
the cookie works and they can navigate throughout the web site.
However this session cookie is not persistent. If they leave safari and then restart using the saved bookmarklet, the cookies set during their previous session are gone.
Just using safari (ie: launch safari directly rather than through the bookmarklet) to navigate the pages works fine (ie: start safari, go to url, do login, restart safari, go back to url).
I find that that the cookies that were active when the bookmarklet was created are persistent but any cookies set during the session when safari is accessed through the bookmarklet are not persistent.
I'm wondering if this is a safari/iphone issue and/or if there is any way around this. Many thanks for any insight you can provide.
K, for anyone encountering the same problem, i found a work around by making use of html5's localstorage. I just needed to use javascript to set the storage based on cookie values as the cookies were being set and to set the cookies from the storage values when the first page was loaded.
I have tried that in one of my applications. I have tried this in this way:
The user logs in and his cookie is set into the sharedHttpCookieStorage.
Check the cookie against your URL, get its values and save it in your application's storage.
Next time user wants to use your application, check if there is any cookie values in your storage. If Yes then create a cookie with those values else get him to log in again.
Make sure to clear the cookie values when the user logs out or the cookie expiration date reaches.
I know it sounds difficult but infact is really easy. All you have to go through is Apple's documentation on NSHTTPCookie.
I'm trying to glue information from a web page to an iPhone app that said web page suggests to download. I control both the web page and the downloadable app.
Scenario is like this:
User visits my web page, on which I recognize the user (he may have logged in, and I store his info in a cookie). I then present a link to him to an app in the App Store that he should download for "enhanced experience" of this web service of mine.
Now, when the user launches the downloaded app on his iPhone, I like to re-identify the user who previously visited said web page.
All would be easy if an iPhone app could read Safari's cookies. But it can't.
A somewhat lame solution could be that the web server stores the visitor's IP address and uses that to recognize him once he launches the iPhone app. But that's not reliable.
Another one would be to give the user a token (code) that he needs to remember and then re-enter in the app. Still quite awkward, I think.
Any better suggestions?
Simply put, you can't do this.
One thing you could consider is a custom URL scheme to launch the app. You could send the user an email that uses this custom link. However there's a couple of problems with this:
the user may not have the account that they used to register for your site set up on their iPhone. This might seem unlikely, but say the user signed up for your site 5 years ago with their Hotmail account and they have since switched to Gmail.
it's unlikely that the email would fit into their workflow. They would probably download the app and just launch it by touching the icon instead of clicking a link in a received email.
You could also put the custom URL as a link on your web page, but again, this won't fit into the workflow because they have to go to the App Store app to do the download.
Consider this - if you've got some sort of website that has an authentication step, it's probably a fair bet to say that the user is the type of person who already has an application such as Facebook installed on their iPhone. They are already used to the paradigm of having to enter their credentials into an application despite the fact that they may have already done it in Safari.
If you could read the unique iPhone device ID from javascript on your web page, you could look for that again when the application connected...
But I cannot find any means of reading this from Javascript in Mobile Safari, I thought I'd post in case there is a way now to give you another option to consider.
OK, we found a somewhat working solution: The html code can create a cookie. Later, when the app runs, it can't directly read that cookie, of course (due to the sandboxing of iPhone apps). However, it can connect to the server, then open a http URL pointing to the server and including a unique token that it has gotten from the server beforehand. This leads to launching Safari, accessing the server. The server can now read the aforementioned cookie and finally establish the connection with the help of the token.
Just stumbled over this question and I'm curious if you thought about using a UIWebView.
Where the question is - does UIWebView share cookies with safari?
If it does the rest should be easy.
UIWebView's DON'T share cookies with Safari. So unfortunately that is not an option.