I use asiHttpRequest library to do data get and post.
I have built a login function with it to login to my site, after that, if I launcher a URL from my app to use mobile safari app browse the site, it still remains not authenticated.
I guess the reason is that my app does not share the same cookie storage with safari, is that correct? is that possible I share the cookies with other apps, especially the Safari?
You can NOT share cookies in your App with Mobile Safari. As #erpayo said, it's in Sandbox.
Maybe add a UIWebView into your App is the best solution. Do not open an URL in Mobile Safari but open it in the UIWebView. It can get your cookies.
no, it's not.
Cookies are sandboxed.
Maybe you can make some server side tracking using query string parameters, but it will become a security hole
Related
I have a website which allows login via facebook functionality and displays photos from facebook.
While accessing from a mobile browser I would like the website to automatically login(when the click on FB login button, without entering username and password) if the user is already logged in via the native FB application (iOS or andriod). It seems to be that I can do that by building a native iOS or android application and use facebook single sign on feature. Is it possible to do that without having the user install anything on their mobile device?
That is not possible.
Auto-Login relies on auth tokens that will be granted to a website or mobile app after a user approves an app. For security reasons, those tokens are tight to the cause they were issued for. Particularly, web tokens and mobile tokens are not interchangeable.
So you could build a native mobile app to get a "native token", but even if you would manage to (cookie-)inject it into a browser view, your website's backend couldn't use it.
More generally, you're raising an issue even facebook can't solve: Say you are using a facebook mobile app and logged in there. If you open facebook's web version on that very same phone, you'll have to log in there again. The root cause is the same as with above. Specifically, any native app is uncapable of setting arbitrary auth cookies into the OS browser. I personally believe this restriction will not fall, because it would have a large security impact - just imagine how any app could set (and possibly get) cookies for any website.
If they've never logged in facebook from their Mobile, how will your website ever know them ?
Is it possible to do that without having the user install anything on their mobile device?
Like PC's, users in a mobile device need to login in their phone in facebook's website before being eligible to login "automatically" to your website. When I say automatically, I mean they still have to go with the first time process of "Do you authorize this app/website to do X things on your account". That message is inevitable when using facebook's api on the web.
Hope this answers your question.
Is it possible to do that without having the user install anything on
their mobile device?
No this would not be possible. You need to have a native or hybrid app (phonegapped etc) to make it work. Mobile web apps run in a browser sandbox and without native code interface - you cannot get to the native SSO of FB on your mobile device
Did you have a look at this facebook page ? I'm not sure what you ask is possible, as basav said, but maybe you'll have some clues there.
I have an application that may access authenticated content. I know that the webview can't handle authentication so I do some NSConnection magic to make it work (something similar to this)
The thing is that there is some content that can be accessible using this web view, but there is some other content that event after a sucessfull authentication, the web view is not able to load.
BUT.. if I enter the same url with mobile safari, enter the needed credentials and then I go back to my app, the WebView seems to load the content fine.
I tried reviewing the cookies before and after the auth in Safari is done using this code
[[NSHTTPCookieStorage sharedHTTPCookieStorage] cookies];
and the cookies are the same.
As far as I understand that code will retrieve the cookies my app generates and not the ones available in iOS, so apparently this is not the way to look for a hint...
Any ideas?
Recently, i've lurked for the same question over the internet, and the answer is "no" =(.
Objects of UIWebView class and Safari or other browsers live apart and are sandboxed.
Here is official position about cookies.
TO the best of my understanding, Cookies can not be sent with the first request from a Webview, but can be sent with subsequent requests to the same URL, if and only if, the first request was successful.
This causes problems with authentication services that require cookies to authenticate on the first request to the URL.
Possibly user credentials are stored via keychain api. Keychain is shared between apps, so stored login/pass in Safari can appear in your app UIWebView.Can you elaborate this as i also need this.
I'm building an app that uses OpenID for authentication. I'm giving Google, Yahoo and the general OpenID site as options.
At present, when the user selects a site, I open a UIWebView and the user performs their login with that frame, all within the app.
However, it has struck me that when using UIWebView, you cannot easily show to the user that the connection is over https or that they are indeed at the site I'm claiming they are at. I could be easily harvesting passwords.
Would it be, and I'm looking for opinions on this, be better from a user confidence perspective to actually open Safari when the user selects a login and once they've logged in have Safari direct me back to app?
Thanks
Most people using iOS devices are used to the way Facebook logins work; no URL bar, no nothing. I'd just follow the typical workflow. You could bump out to Safari, and return via a custom URL scheme. However, I think users will think that is more weird. iOS users are not used to being jumped in and out of different apps.
just my 2 cents, it would be also faster if the user has already logged in those services with Safari before.
Prompting out a UIWebView and switching to Safari is using the same amount of steps, so why not?
I thought I'd follow up on this thread to say I'm having difficulties getting the app approved and I think it's because I use the Safari approach. I've had it rejected by Apple twice now because:
"Apps that link to external mechanisms for purchases or subscriptions to be used in the app, such as a “buy" button that goes to a web site to purchase a digital book, will be rejected "
I think it's because I'm launching Safari. I've opened a dispute with Apple and I'll come back with more information once I hear back from them. I really hope a quick change to a UIWebView will help!
I have an issue with my Facebook app when the user uses Internet Explorer.
My app is loaded in iFrame as Canvas Page.
Cookies and Session are lost after post back. It doesn't happen of Firefox at all,
and it doesn't happen on IE if I open my app outside of Facebook, meaning, using the direct URL.
My app is Asp.net C# app but it shouldn't really matter.
I think the issue is larger than a Facebook issue... any website loaded in iFrame using cookies/session is prevented by IE from keeping cookies/session, but is there a way by Facebook to overcome this? I must use sessions in my app, not just to save the reauthentication again and again but for other things too.
Please assist me.
Thanks!
most likely you need to implement P3P headers in your app, see the following for more details:
http://forum.developers.facebook.net/viewtopic.php?id=452
Is it possible to set a cookie in an iPhone Application that persists, so that later when the user is in Mobile Safari, that cookie can be sent to a webserver?
** Update 2017 **
A lot of changes to security mechanisms and cross-app communication were introduced to iOS in the recent years since this was first answered.
The below code no longer works on current iOS releases since Safari no longer accepts javascript:... in URLs and frameworks like NSURL catch these and return nil.
The one alternative that still works is to either host a website and have Safari open it or integrate such a HTML page in your app and run a small http server to host it on demand.
**iOS up to 6.x **
Since Apple has forced the sandboxing on all app store applications
there's currently no easy way to realize your request.
You could however open a special http://-URL from your application containing javascript to place a cookie:
NSString jsURL = #"javascript:function someFunction(){ /* your javascript code here */ } someFunction();void(0)";
[[UIApplication sharedApplication] openURL:[NSURL URLWithString: jsURL]];
Using javascript in URLs has been used by different iPhone applications to cross communicate
with MobileSafari (for example instapaper).
Another option would be to include a static HTML page in your app or on your server and instruct MobileSafari to open it.
The page in turn could set the permanent cookie.
Hope this helps!
I believe this is made easy by using the ASIHTTPRequest Library. It encapsulates the use of the global cookie store.
http://allseeing-i.com/ASIHTTPRequest/How-to-use
You can make requests with this library which will accrue cookies, and then these cookies will affect other requests later.
I use this to great effect in accessing authenticated APIs within my iPhone app.
The documentation for NSCookieStorage suggests that it would be such a mechanism. But whether "all applications" really includes Mobile Safari or not, your experimentation will have to determine....
See also the general documentation for the URL Loading System.
I'm new at iPhone development, but wouldn't opening a UIWebView allow your server to set a cookie on the browser so then when the user visits the site with Safari the cookie would be readable to your web server? Perhaps a hidden or small UIWebView? I can't tell what the use case is from your question.