I'm creating a Hybrid iPhone App that contains a lot of separate UIWebViews that point to specific pages on a website. These pages are secured, so I show a page with a standard .NET login form first. This login succeeds.
However, if I load the subsequent pages in other webviews it still redirects me to the login page. I requested all the cookies that are set for the URL and it contains a .NET session ID and everything. Is there some other reason that these kind of sessions wouldn't be shared between UIWebViews?
Can you control the server side? I suspect that new instances of Safari are triggering new server sessions, perhaps you need to create some kind of recover session function and call it via a web service for each UIWebView.
Related
I'm creating a Social Media management webapp. This webapp will be used by our customers on there own sites (read, own domains). The webapp connects to a facebook app that we own, to allow them to manage there pages.
I'm using the "Website" platform for the app. During development I've had the "Site URL" set to my localhost url, and the "App Domains" set to localhost. This has worked fine.
However I now realise that this app will not always be run from localhost. It will be run from many differnt domains. I've read many posts about how its not possible to do this anymore, or at least the max is 5 domains by adding multiple platforms.
So how am I supposed to do this? Will I need to create an app on my profile for each customer/site? Will I have to create an app on each customers facebook account and link its app ID to our webapp?
The solution for this was not so bad.
Since AccessTokens are portable, so you can generate them on a single domain, and then use them to access the API from any page.
To do this, I have setup a single page on my own server (not customers server), whos domain is in my Apps Domains property. This page just has the facebook JS SDK, and some code to handle whether or not to show a login or a logout button. I embed this as an iFrame inside my webapp (that can run from any URL). I use
FB.Event.subscribe('auth.authResponseChange' function {});
to look for status changes, then use the the JS postMessage method to send the result of this to the parent of the iFrame, who then sends it to the server. This AccessToken can then be used anywhere.
I am working on a page tab application and am having an issue with navigation. My application, written in MVC3, is displaying and authenticating just fine as a page tab. When I click on my tab, my app receives a POST with the signed_request object as expected.
My question is, how can I support links to other pages in my application? When a user clicks on a link, I want an action to be called in my application and to not leave the Facebook iframe. In addition, I need the signed_request to be passed along so I have a user context.
At first, I thought this was not supported and that all page tab applications had to be written as Single Page Applications. However, I found examples that do exactly what I am looking for.
Click on an image:
https://www.facebook.com/Sephora/app_305927716147259
And:
http://woobox.com/pinterest
How are these apps handling page navigation within the iframe?
The performance of clicking on an image seems to be pretty bad. What are they doing behind the scenes and is there a more direct way of handling navigation?
I will also need to handle POSTs.
Thank you.
When a user clicks on a link, I want an action to be called in my application and to not leave the Facebook iframe.
Well, that’s what normal HTML links do – so no extra effort required at this point :-)
In addition, I need the signed_request to be passed along so I have a user context.
You could pass it as a GET parameter with every link – but this way the user can easily “see” it, and it might also get transfered to external servers (if any external resources are embedded within your page) via the HTTP referrer.
The better solution IMHO is store the signed request server-side in your session (parsed already, if you like), so that you have access to it on the following pages of your app.
I want to open my small platform to developers, so they can build applications that could be inserted in our site as iframe. Similar as facebook is doing, but no, I am not trying to build another Facebook:). From what I understand developers can build facebook application using iframe.
Question: I am wondering how is about security from facebook user perspective. How Facebook prevent that application developer doesn't put malware javascript code inside iframe. I haven't noticed any automatically mechanism that prevent including something like that in iframe.
tnx
No, this is not a problem at all, I think you are worrying for nothing.
There are no security issues that you need to worry about yourself, the loaded page in the iframe is sandboxed, and is "guarded" by the browser.
The two iframes can't even communicate with one another since they are not sharing the same domain, and modern browsers will block any attempt to execute javascript code in another frame if the two frames have different domain.
The thing that facebook did was to workaround that problem, each iframe app in facebook loads the facebook javascript sdk which then enables the nested iframe to make requests to facebook and be notified (by callbacks) when the data returns.
As for "malware javascript code inside iframe to attack user computer via browser", the iframe has the same exact security policies enforced by the browser as any other browser page, if someone manages to somehow bypass those policies then it has little difference where it's loaded, and facebook are not enforcing any other security measures.
The only thing you need to worry about is that scripts inside the iframe will be able to access your scripts and/or dom, which should not happen unless you create a machnism which will let them (somehow bypass the cross-domain policy).
We just went live with a new Website that's using Sitecore. In the last couple of days, we have heard users complain that they are seeing the Sitecore login page on the live website for the links they bookmarked or just randomly. We are using a load balancer with 3 servers behind that load balancer. Also, the authoring server is behind a firewall and the authoring interface is only accessible via VPN.
Any ideas/suggestions?
Thanks
Would it be possible to have a deny permission on sitecore shell directory for your main website? This way users cannot access sitecore from your main website.
You can still have sitecore enabled on your authoring server though.
This issue has happened to me a couple of times, and I figured out that at some point you must have logged in to sitecore from that browser. Can the users try accessing your website from another browser? It should work fine.
I haven't been able to figure out why this happens though, may be because of cookies.
Like techphoria414 said, opening the site in a new browser or clearing the cookies solves the problem.
But to add more detail to this, the cookie responsible for this is:
website#sc_mode with the value "edit" or "preview".
If the users with the problem have been editing the site or using the page editor mode, this cookie gets created. Even if they log out, sometimes the cookie stays there and when they try to access the live site, Sitecore answers with a 302 (redirect) to the login page because of this cookie.
They can either delete all cookies or simply this one.
We have a wicket application for our main website. Lately we have implemented a mobile version of the site. The mobile version is special in that it is deployed inside a native app wrapper to some mobile devices and not connected to the rest of the page through links because it is not supposed to be normally visible to web users.
The mobile page makes use of ajax and is therefore prone to receive "Page expired" errors for example when we restart the application on the server.
Since that page is not connected to the rest of the application through links I do not want our standard "Page expired" behaviour. Is it possible to override or intercept this behaviour for the pages belonging to the mobile part of the site? For example I could like to be able to configure the pages to simply reload on a "Page expired" error.
Yes,
getApplicationSettings().setPageExpiredErrorPage(YourPage.class)
YourPage.class can then for instance be your HomePage or another Page that depending on it being a request from a mobile device does something else.
If you would like to reload the Page the user was one then it becomes a bit less trivial. Reloading the Page is not possible since you are not on the page anymore. You could have a look at IRequestCycleListener and overriding onException and handle PageExpiredException yourself but it is a dangerous road you travel if you simply reload your Page. Navigating to the home (or other) page seems more logical. I assume you are not restarting your server 100 times per day...