Maybe I'm missing something, but from Apple's documentation for NSHTTPCookieStorage, I can't help but wonder how this is safe to use.
Does this mean that cookie storage is shared across all apps on the iPhone? If my app makes an Http call that results in some cookies being saved, do all apps now have access to these cookies?
Methods like:
cookiesForURL: Returns all the
receiver's cookies that will be sent
to a specified URL.
make it look even more suspicious.
Can someone explain how this is OK, and what the class does?
Also, assuming my understanding is flawed and this is indeed sandboxed per-app, do calls made using NSURLRequest automatically save/retrieve cookies from this store or is it the developers responsibility to set request headers before dispatching the request?
Your application only has access to cookies within its own sandbox.
From http://developer.apple.com/iphone/library/documentation/Cocoa/Conceptual/URLLoadingSystem/Concepts/URLOverview.html:
iPhone OS Note: Cookies are not shared by applications in iPhone OS.
I guess you're confused by the fact that you can access cookies from other domains/urls.
That's is technically true because your native app is "a browser" when you use UIWebView.
If you load www.siteA.com and www.siteB.com in your UIWebView, both domain's cookies are available to your objc code.
All apps, including mobile safari has it's own CookieJar and none of them can access the other one.
Related
I have an application that may access authenticated content. I know that the webview can't handle authentication so I do some NSConnection magic to make it work (something similar to this)
The thing is that there is some content that can be accessible using this web view, but there is some other content that event after a sucessfull authentication, the web view is not able to load.
BUT.. if I enter the same url with mobile safari, enter the needed credentials and then I go back to my app, the WebView seems to load the content fine.
I tried reviewing the cookies before and after the auth in Safari is done using this code
[[NSHTTPCookieStorage sharedHTTPCookieStorage] cookies];
and the cookies are the same.
As far as I understand that code will retrieve the cookies my app generates and not the ones available in iOS, so apparently this is not the way to look for a hint...
Any ideas?
Recently, i've lurked for the same question over the internet, and the answer is "no" =(.
Objects of UIWebView class and Safari or other browsers live apart and are sandboxed.
Here is official position about cookies.
TO the best of my understanding, Cookies can not be sent with the first request from a Webview, but can be sent with subsequent requests to the same URL, if and only if, the first request was successful.
This causes problems with authentication services that require cookies to authenticate on the first request to the URL.
Possibly user credentials are stored via keychain api. Keychain is shared between apps, so stored login/pass in Safari can appear in your app UIWebView.Can you elaborate this as i also need this.
Is it possible to force all iphone apps to use the same cookies in all http requests ?
Example: i want to send my email in all http requests.
No, not in any supported way. See NSHTTPCookieStorage.
iOS Note: Cookies are not shared among applications in iOS.
What are you actually trying to accomplish with this?
So I was just curious if the NSHTTPCookieStorage was persistent across applications, or local only to the current one. I want some cookies gathered in another app to be accessible in a search app. Is that how it works? Thanks!
PS: This is on the iPhone or iPad.
For iOS, cookies are not shared across apps. Per Apple's documentation,
iOS Note: Cookies are not shared among applications in iOS.
Created a workaround where I just pass the credentials to the new app and reconnect to server. Not very efficient, but passable until something better is found...
As Greg said, No. Each apps cookie storage is sandboxed.
A solution to the problem would be to use a SFSafariViewController, new to iOS9.
This implementation of WebViews are not sandboxed and have access to Safari's cookie storage. Meaning that two different apps could use this to both access the same cookies from Safari's cookie storage.
You would need to write a small web-service to handle writing the cookies and some sort of API to redirect cookie data back into the app.
Use this project as a starting point. It shows you how you can access Safari cookies from an app without the user having to do anything.
Hope this helps,
Liam
I made an application that uses UIWebView to display a site that uses basic authentication. It stopped displaying the content since iOS3.2 (on both iPhone and iPad).
My approach for authenticating users are:
create a NSURLConnection
implement didReceiveAuthenticationChallenge to provide the credential
implement didReceiveResponse to receive the response and load the request in a UIWebView, i.e. [webView loadRequest:]
Ever since iOS3.2, the authentication was broken; UIWebView doesn't seem to check against the shared credential storage any more.
For iOS4 on iPhone, I managed to work around this issue by, stupidly, including the login informatino in the URL (i.e. https://username:password#www.somesite.com) to the initial load request passed to the webView.
For iOS3.2 on iPad, that isn't enough. The initial request is authenticated all right, but the subsequent calls still aren't authenticated.
Any suggestions?
Use setDefaultCredential:forProtectionSpace: on the shared NSURLCredentialStorage
the Webview still uses the default credential, it does not work when you use setCredential:forProtectionSpace.
Is it possible to set a cookie in an iPhone Application that persists, so that later when the user is in Mobile Safari, that cookie can be sent to a webserver?
** Update 2017 **
A lot of changes to security mechanisms and cross-app communication were introduced to iOS in the recent years since this was first answered.
The below code no longer works on current iOS releases since Safari no longer accepts javascript:... in URLs and frameworks like NSURL catch these and return nil.
The one alternative that still works is to either host a website and have Safari open it or integrate such a HTML page in your app and run a small http server to host it on demand.
**iOS up to 6.x **
Since Apple has forced the sandboxing on all app store applications
there's currently no easy way to realize your request.
You could however open a special http://-URL from your application containing javascript to place a cookie:
NSString jsURL = #"javascript:function someFunction(){ /* your javascript code here */ } someFunction();void(0)";
[[UIApplication sharedApplication] openURL:[NSURL URLWithString: jsURL]];
Using javascript in URLs has been used by different iPhone applications to cross communicate
with MobileSafari (for example instapaper).
Another option would be to include a static HTML page in your app or on your server and instruct MobileSafari to open it.
The page in turn could set the permanent cookie.
Hope this helps!
I believe this is made easy by using the ASIHTTPRequest Library. It encapsulates the use of the global cookie store.
http://allseeing-i.com/ASIHTTPRequest/How-to-use
You can make requests with this library which will accrue cookies, and then these cookies will affect other requests later.
I use this to great effect in accessing authenticated APIs within my iPhone app.
The documentation for NSCookieStorage suggests that it would be such a mechanism. But whether "all applications" really includes Mobile Safari or not, your experimentation will have to determine....
See also the general documentation for the URL Loading System.
I'm new at iPhone development, but wouldn't opening a UIWebView allow your server to set a cookie on the browser so then when the user visits the site with Safari the cookie would be readable to your web server? Perhaps a hidden or small UIWebView? I can't tell what the use case is from your question.