Right now I am developing a Web-based Application, where the User has to login first.
When I open the Page by iPhone Safari, login and restart Safari, I am still logged in (Cookie & Session ID still set).
But when I add this Page with "Add to Home Screen", each Time i click the Icon for that page, I have to login again.
I did not find any information about that. What can I do so my users can set this page to their home screen
as icon and still don't have to login each time they open it?
A really simple approach could be to use a unique token in your Bookmark-URL which can serve you as a unique device identifier.
Example:
http://myWebApp.com/?token=randomId29238/1
The token can be generated at the server side at opening time of the application in Mobile Safari and before the user is prompted with the "Add to Home Screen" information.
The token can then be added to the URL using a quick redirect (…&token=randomToken) or a location hash (…#randomToken).
Whenever the Bookmark is now opened from the Home Screen, the token is sent to your server and you can identify the user's active session.
You may also use the token as a permanent session id, but I advise against that because of security concerns.
To allow future logout and login procedures, you can always assign the new sessions to the token.
The token will serve you as a unique device identifier whenever the user will re-open your link from his Home Screen.
There is an easier and, imo, more elegant solution than favo's.
At least under iOS 4.2.1, 5.1.1, 6.0 and 6.1 (I couldn't test other versions), if you extend the lifetime of your session cookie manually, Safari will hold on to the session cookie and even allow sharing of the session between the 'home screen installed' version of your web app and normal visits through Safari itself.
The trick is to do this:
// Start or resume session
session_start();
// Extend cookie life time by an amount of your liking
$cookieLifetime = 365 * 24 * 60 * 60; // A year in seconds
setcookie(session_name(),session_id(),time()+$cookieLifetime);
For a more elaborate discussion of this strategy you can take a look at my answer of this question:
Maintain PHP Session in web app on iPhone
I am going to expand a little further on Waldo Baggins' answer.
When I ran into this, I discovered the reason this was happening is that session cookies set on the server usually do not have an expiration value set. The default behavior in this case is for the browser to discard the cookie when the browser is closed / re-opened. Since the browser does not resend the cookie on re-opening, the server has no way of identifying the session, even if it hasn't expired on the server yet, and thus, your user is redirected back to the login page.
When the user is using your site in web app mode (icon added to home screen), iOS treats navigating to / from the app the same way a desktop computer would treat closing and reopening the browser, and loses the session when reopened.
So following Wilbo's suggestion and setting an expiration time for the cookie, iOS checks if the cookie has expired when the user navigates back to your app, and if it hasn't, re-sends the cookie, thus maintaining the session. The value of 1 year in Wilbo's answer is ridiculously long, you would typically want to set this to something like 8 or 24 hours, and ideally sync it with the session expiry timeout value you have set on the server.
Note that as a side effect, when your site is accessed from a desktop browser, and the user closes and re-opens the browser, the session would continue to persist and the user will still be logged in, which wouldn't have been the case previously (unless they were browsing privately). Your "Logout" feature would have to properly handle expiring this cookie.
For a Java webapp using web.xml version 3.0 or higher, the easiest way to do this is to modify <session-config> as follows:
<session-config>
<session-timeout>600</session-timeout> <!-- In minutes -->
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
<max-age>36000</max-age> <!-- In seconds -->
</cookie-config>
</session-config>
There are persistent key-value storage and database storage available for web apps. You can save your authentication data using localStorage object and use XMLHttpRequest to send it to the server.
Another option is saving your persistent data in a SQLite database, however this doesn’t seem to be a proper solution in your case.
Check out Apple’s Client-Side Storage and Offline Applications Programming Guide for details/examples.
Related
I'm currently working on a PWA and noticed that the overall experience would be awesome for the users, if they do not have to sign-in every time they open the app.
I've noticed that on native mobile apps, the user stays signed in unless they decide logging out of the app.
I could think about the following approaches -
Make the session time super long; say 30 days or 180 days. I'm not aware of the downsides of this approach.
Create a cookie that says that auto-login link and use it to authenticate the user automatically when they open the app.
But there could be a way better approach than this; and I'm curious to know about it. Can someone help?
Well depends on your current user session algorithm, websites like facebook keeps me logged in for years, you might want to use
Local storage (Indexed DB) to store the user's data only update them asynchronously ,
Cookies, set a (x months) cookie and validate the cookie if it exist probably with the user's data,
This would be preferably done with your server side language and not client side.
I must use facebook integration within desktop app on OSX. I've used part of facebook sdk for ios and modified all ui elements to properly work on desktop.
I'm presenting facebook dialogs within webView, display is set to popup, and redirect url is https://www.facebook.com/connect/login_success.html.
Everything seems to work fine (all the dialogs are working after login, token and expiration date seems to be ok and are stored between web sessions) except for the facebook cookies which are always set to be session only (even with the keep me logged in option turned on). This means user has to log in to facebook everytime app is opened which is really frustrating.
I've already tried setting display to other values (touch, page) with no success. Probably all relevant settings in facebook app are checked (Native or desktop app?, Embedded Browser OAuth Login, Client OAuth Login).
so the question is if anyone has encountered same problem or might know the solution to make keep me logged in option working properly?
I'm working on a windows based application in C++ that requires facebook login. I'm using using Ole Embedding/ActiveX control with the CLSID_WebBrowser component (IWebBrowser2) to do the authentication.
This works pretty well in so far as I create a window, embed the activeX web browser control, and then I direct it to the facebook login with an 'authorization url', such as...
https://graph.facebook.com/oauth/authorize?client_id=xxxx&redirect_uri=https://www.facebook.com/connect/login_success.html&scope=basic_info
xxx is set to our app id.
This works, and you can login. The problem is if I quit and restart the app, even if I've selected 'keep me logged in' in the web page, I will generally have to retype in my password.
I say generally, because if I don't use the facebook auth url above, and say go to www.facebook.com, within my active x control and log in - it will remember that I'm logged in, and I don't have to type in password if I shutdown and restart the app.
As another side detail all of this is separate from the behavior of just running IE. If I run IE and login - it has no effect on the login inside of the app. And it's not something that is unique to my implementation of ActiveX control embedding. If I run the JUCE library demo - which has a web browser active X component, it has the same behavior as with mine. That is...
1) I can login via https://graph.facebook.com/oauth/authorize - but if I restart the demo, it won't remember my previous login
2) If I login via www.facebook.com then it does remember I've logged in
+ Actually a login like this in JUCE will allow me to login without a password from my app
3) Login from IE has no effect
It's tedious to have to login every time, and seems like incorrect behavior to have to do it if you select 'remain logged in'. It does not appear that it's a problem with the ActiveX control saving session state - as session state is maintained when I use the www.facebook.com login. It may be worth saying - I can't use www.facebook.com login, because it doesn't return the information that the app requires to work, that's what the authorize style url is all about.
The implication seems to be that facebook is doing something different in these scenarios - it's not storing the login information if you use the authorization url.
So my question is how to fix the problem - such that 'remain logged in' will remain logged for an application authentication through the authorization url?
I guess as a work around, you could store the authorization token in the app, and try and see it that token is valid at startup perhaps. I'm not sure that's the 'right' way to do it.
Also note - my original implementation used Ole Automation (effectively my app controlled a separate IE process), and it had none of these problems. BUT unfortunately with IE 11, Ole Automation seems to have been broken.
Thank you for your time and wisdom.
I didn't find away to honor 'keep me logged in' within facebook. Instead, if a user logs in I store the authorization token encrypted in a file. If they restart the application, it will attempt to login using the stored auth token. If it fails, a standard login sequence is pursed. This is equivalent to acting as if 'keep me logged in' is always set, which isn't right, but is better from a usability point of view than the opposite.
It may potentially be possible to lookup the 'keep me logged in' element from the DOM of the webpage, and see what it is set to. This seems kinda fragile.
I remain open to suggestions on, how to 'do this properly'.
I'm building an app that checks as site every 15 minutes for changes. I can do this fine in the app, when it's open. But how do I go about doing this while the app is in the background?
The trouble is I don't think I can use the Push Notification Service. The page on the site which is being checked, requires the user to be logged into the site. Because there is a cookie jar for each app, the user logs into the site through a UIWebView at the beginning and then once logged in, the site is polled every 15 minutes using NSURLConnection and receives the data for the logged in user because of the cookies created at login in the webview. I don't believe there is a way to do this on a server for many different users? And if there was wouldn't the user's site username and password have to be stored on my push server which is a huge no.
So can I use task completion, or is it possible to access a page that only appears correct when the correct cookies are present from a server and then use push notification.
Unfortunately there is no way to get the cookie from a UIWebview. And task background completion can only run for 10 minutes.
I'm not sure what kind of website you are trying to access, but if you can replicate the login using a NSURLConnection you can retrieve the cookie using NSHTTPCookie. Then store the cookie data on your server and then access the web site from the server with the "Set-Cookie" header to check the content for changes.
This, of course, depends on how long the cookie lasts (expires).
I have an iphone (jqtouch based) web app that uses cookies for authentication. The use flow is as follows :
user goes to the mobile landing page and is instructed to save the page as a bookmarklet on their home page.
they launch the bookmarklet to go to a login page to login and get a cookie.
the cookie works and they can navigate throughout the web site.
However this session cookie is not persistent. If they leave safari and then restart using the saved bookmarklet, the cookies set during their previous session are gone.
Just using safari (ie: launch safari directly rather than through the bookmarklet) to navigate the pages works fine (ie: start safari, go to url, do login, restart safari, go back to url).
I find that that the cookies that were active when the bookmarklet was created are persistent but any cookies set during the session when safari is accessed through the bookmarklet are not persistent.
I'm wondering if this is a safari/iphone issue and/or if there is any way around this. Many thanks for any insight you can provide.
K, for anyone encountering the same problem, i found a work around by making use of html5's localstorage. I just needed to use javascript to set the storage based on cookie values as the cookies were being set and to set the cookies from the storage values when the first page was loaded.
I have tried that in one of my applications. I have tried this in this way:
The user logs in and his cookie is set into the sharedHttpCookieStorage.
Check the cookie against your URL, get its values and save it in your application's storage.
Next time user wants to use your application, check if there is any cookie values in your storage. If Yes then create a cookie with those values else get him to log in again.
Make sure to clear the cookie values when the user logs out or the cookie expiration date reaches.
I know it sounds difficult but infact is really easy. All you have to go through is Apple's documentation on NSHTTPCookie.