I have develop an android application which uses webview to convert my website into mobile app. there are few cookies set from website to store data while user uses website on android app. Issue is when user logout from the app it removes all cookies accept session related cookies. so i want to remove all cookies which is created by android app but not remove those cookies which is created by website. i have use below function to not remove session related cookies by commenting code for those device which has OS less then lolipop but what to do for rest device which has higher version then lolipop.
cookieManager.removeSessionCookie();
above code i have commented to not remove session cookie but that will not work with higher version.
So can anyone suggest me what to do to prevent cookie to be removed?
Related
Current State:
I am implementing oAuth Authentication for a flutter app running android and iOS.
For iOS my Authentication process works perfectly. I want to get the user prompted for his user certificate every login. Therefore I pass the parameter prompt=login when getting the authCode.
On Android the certificate is getting cached in the browser, so the authentication is triggered without selecting a certificate again. Even when sending the prompt=login parameter.
I have used a couple of libraries.
flutter_appauth
flutter inappwebview
oauth2
The main problem is that when I use a webview the browser doesnt bring up the cert picker.
When I use e.g. custom chrome tab like in appauth there is no possibility to clear the custom tabs cache or chromes cache on logout.
When I use system browser like in oauth2 library I have also no control over the cache.
I have also tried implementing java code to access the cookiemanager to clear cache, but this also only accesses webviews.
I have experienced when I kill the browser app after logout the cache is getting deleted and I get prompted again.
Any solution on how I can clear the cache on custom chrome tabs, system browser or implement the webview that it brings up the cert picker?
I have an ionic application which I'm developing and deploying on an android device. I'm using angular-auth-oidc-client for user authentication in the app. This is the configuration I have:
Note: The sts server and clientId are omitted for the sake of brevity and they are not relevant.
scope: 'openid profile tino_access',
silentRenewUrl: `${window.location.origin}/silent-renew.html`,
responseType: 'code',
postLogoutRedirectUri: window.location.origin,
silentRenew: true,
silentRenewUrl: `${window.location.origin}/silent-renew.html`,
logLevel: LogLevel.Warn,
postLoginRoute: window.location.origin,
useRefreshToken: true,
I know for sure everything is set up properly because when accessing my mobile app on a web page everything works fine and the authentication goes through properly.
However, when deploying on a mobile device (origin is localhost), after accessing the Keycloak login page and entering the login credentials correctly, there is a request made to the STS server which verifies the tokens. I need this to be sent out to the server, but I want my app to function on the localhost domain. If I set the redirectUrl correctly as the server, then it works but the app is no longer the local app, it is only a mirror of the webpage.
I can see this is some mechanism for storing and checking session tokens, but it's clear why it wouldn't work on a mobile device. Does anyone know of a possible solution/workaround?
Thanks
There are differences between web and mobile OAuth, summarized below:
Web UI logins use the same type of browser window on which normal views are rendered, using a HTTPS callback URL
Mobile app logins use a form of the system browser to trigger sign in, and often a Custom URL scheme is used to receive the response
Some tech stacks attempt to use the same solution for web and mobile. This might work in terms of rendering but it will not work in terms of OAuth. Instead, for a mobile app you need to follow the OAuth for Native apps guidance.
The mobile solution is usually called the AppAuth pattern. To get started with it on Android, maybe start with my Android AppAuth Sample Page.
I'm creating an Android app that has a WebView which accesses my website hosted using Firebase Hosting.
If I sign into the website using email/password credentials and then refresh or navigate to another page, Firebase loses my login information.
I tried to force Firebase to keep my credentials using firebase.auth().setPersistence(firebase.auth.Auth.Persistence.LOCAL) but it throws this error in the WebView console:
Uncaught Error: The current environment does not support the specified persistence type.
As a side note, I tried logging in on other services, such as YouTube and Google to see if it was a browser cache problem, but the session was persisted normally, even after I refreshed the page, navigated or reopened the Android app.
I also tested the Android app using the emulator (running Android 8.0) and a phone (Android 6.0).
Does somebody know what's going on here?
You need to enable DOM storage in your webview as Firebase Auth depends on web storage (localStorage/indexedDB) to store the Auth state.
webview.getSettings().setDomStorageEnabled(true);
I want to inject cookies into Android Browser from My App's HttpClient's Cookie Store, is that possible, I do not mean WebView.
Indirectly - your server can modify cookies that can be read by browser
Since this issue is about three technologies I'd like to quickly introduce each of them:
node.js: javascript on the server side (consider it my webserver)
PhoneGap: framework that allows me to write Android applications in HTML/Javascript/CSS.
facebook authentication: using everyauth to let my users login with their facebook account
The objective: I need my PhoneGap application to communicate with my server using a REST based protocol. Many of these requests may only be made when the user has logged in to my server, using their Facebook account. Thus, the user needs to login and then go to the logged in state of the PhoneGap application.
The issue: When I setup everyauth for facebook I basically have an URL, like domain.com/auth/facebook which will redirect to Facebook's login "popup". When the user then accepts the login, the server will know, and so far everything is good. The problem is that
the user now has to be redirected to some external URL, while he should simply get back to the PhoneGap application (in a logged-in state)
The PhoneGap app does not retrieve the authentication token, or whether authentication was successful or not, because the login process is done in the external URL domain.com/auth/facebook while the PhoneGap application's HTML is stored on and run from the phone itself
Cause of the issue: the reason this issue appears while it does not for a normal web application, is that the PhoneGap application's HTML files are stored and run from the phone itself while authentication goes through domain.com/auth/facebook, which is considered to be a different domain.
Suggested approach #1: a PhoneGap user has recommended me to use this Android-Facebook plugin for PhoneGap. The issue here is that the server does not act as an authentication middle-man. Thus, the user would have to inform the server of their authentication token instead of the normal approach where the server informs the user of a successful authentication procedure and the corresponding tokens. This seems like a severe vulnerability.
How should I tackle this issue?
With the ChildBrowser plug-in, a PhoneGap app can monitor location changes from the authentication site.
We used this approach to integrate a PhoneGap app with a node.js openid module
I have implemented one solution for Twitter using jsOauth and ChildBrowser (tut./src here) for a PhoneGap / Android app. I know this doesn't include custom registration with a nodejs server; it allows access to Twitter REST only. AFAIK this is the only way to do it currently, that is, have the child browser check each new location to see if it's your app's return-to url, then intervene (close browser window) and go to your own app.
With jsOauth library, the auth token key/secret are stored for you and sent with every request.
Re: security - No expertise here, but discussions conclude this kind of data on one's personal phone are no more at risk than everything else on the phone.
Tut. using PhoneGap / Android Facebook plugin in next on my list. Thanks for link to everyauth!