I am developing an iPhone application and a website simultaneously. I plan on making an API for the website so that the app can send a URL request to get things done. For example, they send a request to www.example.com/journal/add/1 and it will add the item with id 1 to their journal.
What I don't know, is how to do I authenticate them through the iPhone application? I would like them to login just once and have it save their "session". Should I just store the username/password in a plist, and then authenticate them every time they make a request (so I would have to send their username and password hash through every request, like www.example.com/journal/add/1/user/hash? Seems hacky.
You can try oauth, or implementing a simple key system, where logged in users get a key to make subsequent requests with, either way you can refer to the facebook, twitter, youtube apis, you can see how they do it, get some ideas from there (they are all pretty similar) though they concentrate on letting external users make the calls, but you can still do something similar...
instead of keeping their login and pass you should keep sessionid (make it using time, login and md5 checksum)
so first, do normal authorization with your php script (you will need to use database), if it's successful, return sessionid to iphone client. iphone client stores it locally. then next time user starts app you check if sessionid is there: if yes, you send it to your server for authentication. Server checks if sessionid is in the database - if YES, it returns success to client and updates session id in database (remember that you can sessionids can be time stamped, so user will have to relogin if there was long inactivity)
sounds complicated but it's not that bad ;)
Related
I want to create a Chat Messenger for my chat website (because of Push notifications).
But the user has to log in. I want to have it like the Facebook app, that at the beginning the username and password is requested and if the "remember" field is checked you don't have to login every time (maybe once a month then). What's the best way to do that? A session on the Server or saving username and password local? If I make a HTTP-Request where Session Data is saved, is it still available or active when I make a HTTP-Request on the same server later? (like for getting the chat content, or something else?)
I searched the internet, but didn't find something useful. If someone could tell me how to do that, or post a link or something that could help..
Thanks a lot!
The web server identifies a client through a token (e.g. session cookie). With each HTTP request, session cookie is sent to the server and server knows that request is coming from a client who has authenticated before.
The time span of this authentication is of course equal to the validity of the token (cookie in this case). The token can be invalidated on either client or server. You may require special mechanism for keeping sessions valid for month. Defaults are usually like half an hour.
Second option of storing password is more of a security decision. If you store user credentials, then you have to make sure that you do it in a secure manner.
If the user checks the save password field you could save the password to NSUserDefaults.
Although that's not good for encryption, it works. You should also use some type of encoding (SHA-1). You could make it aks for your password after say 10. To do that you would want a data store. You would load it into an int and then you can simply do something like runTime = runTime + 1; and if it get to ten purge the password data
Hello, everybody.
I am developing an iPhone native app(including webview in it) which could communicate with my server-side webservice.
The system has user management module which user could login/out, chanage theirs own information.
Come with usual cases such as a web site, there must be token or something else for security consideration.
Then what about iPhone native app? Because my webservice could only access from the app so that I think it is secure enough, is it also necessary to implement at the session token way?
Thanks, Best regards.
How are you going to do identification/authentication without token?
I believe when you enter User/Password the this authentication pair + device_id is sent (using SSL) to the server, then in case of successful authentication server returns session token (session could be unlimited by time, it is up to you) for this device_id. Login and token are saved somewhere in your program (e.g. in defaults key/value storage). Password should be never saved anywhere in program.
When user launches your app, app sends Login, token and device_id to the server, server checks and say OK+session_key or NOK. In case of NOK you delete login and token from your app's storage and display login form again. If response was OK - you send HTTP requests + session key and server replies you. Something like that...
PS: I believe it should be like that, however I don't have much experience in Web.
I am working on iPhone application which have login form to access application functionality same as website. now i want to add one button in iphone application that redirects user in to website in safari browser with successfully login.
After success login in to iPhone application, user want to check website in browser so i just need to add functionality that user can directly login in his account and redirect on particular page.
i have some basic idea for that we can do with encrypted username and password with url.
like http://xyz.com/login/username=abc&password=abc
but i know that its not secure way to pass username and password with url.
So please suggest me any other way if possible.
Any idea or alternative that how to implement this.
Thanks in advance.
There are a few ways to do it.
Any time you send password information over the Internet you want it to be encrypted over SSL. This will require an SSL Certificate for your web server though and it's not always possible.
You can also encrypt the username and password yourself in a way that only your web server will know how to decrypt. So the username "foo" could be turned into "oof" and the password "bar" could be turned into "rab". That way if someone intercepted your requests, they couldn't know what the username and password were without knowing how you changed them.
Why not pass the session id?
Here's what I mean: When you log in to a web site, typically you're assigned (or already have) a "session cookie" which essentially tells the server "This visitor has session ID 'XYZ'", and allows it to retrieve the server side information stored for that user (like who they are, that they authenticated, or whatever else you store in the session store.
One of the easier ways of moving to/from applications is to make sure that all logins generate a server side session, and provide a script which will overwrite the user's session cookie and redirect them to the proper page.
session_restore.php?sessionId=12345&redirect=HOME
The doubters here will argue that providing such a script is tenement to a security breach, but I would argue that all of this information is stored client side already, and can be accomplished without the server's intervention anyway. (session hijacking plugins for popular web sites exist for firefox that will grab session IDs from wireless networks - no technical skill needed)
Doing it this way just makes the process friendlier to the user, and if your site provides SSH access (which you really should be doing anyway) then the risk is very minimal.
I'm creating an iphone app where the user logins once (when they open the app for the first time), then will never have to login again (like how instagram does it). The app will automatically log them in the next time they open it up. However, the app makes a bunch of requests to a web server.
What is the best way for the server to issue session tokens? How long should the session tokens be valid for? How can I ensure the user never has to log in again, while still providing secure session tokens.
One approach is for the server to issue a token to the user when the user logs in for the first time, and make that token permanent. That, however, does not seem secure.
Thanks for the help!
Well, generally the session is already handled through session cookies. Unless you're planning to have third parties connect to your service, I think it's a bit overkill to do anything besides basic http authentication. I would definitely send all of your connection requests over an https connection though.
As far as persisting the session on the iPhone side, you can save the user and password in the Keychain, and then automatically retrieve and send it to the server when it requires you to log in again, without having to prompt the user to log in again. How often you want the sessions to last on the server end is really up to you.
What is the best way for the server to issue session tokens?
One way to do it is using OAuth. It is more complex than cookies but it has more features.
A token is granted to each application and can be revoked by the user from a page in the server. This token can be permanent or temporary. You can store it as plain text or inside the iPhone keychain, depending on the level of security you need. There is open free code for server and client implementations. Another benefit is that clients can log in your service using their Twitter/Facebook/... account so they don't need to register on your site.
I'm building an app that performs similar functionality that one website does: register, login, submit order, view orders and etc. Now, do I have to do anything explicitly in order to get things working?
After successful login, a webserver establishes a session and sesssion ID and related session info is written to related cookie. IMHO, I just need to call webservice with login credentials and then the rest will be done implicitly. After successful login, every requested user page from user area will be checked with sent cookies and session file at server side. So, do I have to do anything else in order to get into secure area?
Agree with what #sicKo has said. Remember, sending data over wireless network is not secure. Do be careful on the transactions when money and authentication involved.
In addition to what #sicKo has said, you may now consider the coming iOS5, store the value at iCloud.
You just have to send the value to verify the user to the webserver.. and u can keep the session alive in iPhone using NSuserdefault..
U might want to encrypt the sensitive data send over the network such as username and password.