in my application I'm having three activities where first activity is for an intro, 2nd one is login/register and the third one is webView. how can I manage the session between all three activities? when someone login in login activity server will send the JSESSIONID in the cookies. how to use that same JSESSIONID and set it to webView cookies.
I'm using volley JsonObjectRequest
How session can be managed in andorid:
One of the way for session management in android is by Cookies.
The flow is simple, Whenever the User is successfully logged in then in response of that login API call you will get a Response Header named set-cookie which is the newly generated sessionId by the server. You can save it in SharedPreferences and then on every next API call Headers send that same cookie by the key cookie and the value that have saved in SharedPreferences.
How you can set the cookie to WebView:
In your case you have a WebView that you want to set the Cookie so check this link:
Android WebView Cookie Problem
How you can get and Set the headers in Volley
check this link:
https://github.com/google/volley/issues/37
Related
I have an application where authentication happens through a passive client. Basically based on server information, a browser will be launched and it will show a login screen. Once the user enters login credentials, the further handling of cookies and session is done in shouldOverrideUrlLoading.
The issue is coming with authentication when I am connecting to web application servers in a clustered environment. When user connects to first server, it shows him login screen and user enters the details, server authenticates, but during session handling in shouldOverrideUrlLoading, my code connects to the same server with same url, but the response from the server comes that user has not been authenticated, while he has already done authentication.
So to differentiate between different servers, we use JSESSIONID to identify server.
I get the original JSESSIONID that was used on the first URL, but when the second URL is fired, my code use JSESSIONID and other cookies from the first URL in the request of second URL. To fire second URL, i use org.apache.http.impl.client.DefaultHttpClient.execute method.
I am not sure what I am missing to get the response from server that user is already authenticated.
I resolved this issue. There was an issue with cookie version, I was using while building a HTTP context for second request.
BasicClientCookie cookie = new BasicClientCookie(name,value);
// cookie.setVersion(1);
cookie.setDomain(host);
cookie.setPath("/");
cookie.setSecure(true);
cookieJar.addCookie(cookie);
I commented version for cookie and then it recognized request to send to same cluster member which was authenticated in first request.
I have a problem using loadUrl after postUrl.
First I use postUrl to login to a website and after that I want to load another page from the same website with loadUrl. But after using loadUrl Im asked again to login.
Probably you need to handle cookie with WebView.
You need to store the COOKIE returned by the POST request (i.e., the login request). Then, whenever you send a GET request, you need to pass along the cookie so the sever knows you've already logged in.
I have next problem:
I auth via oauth and webview, after that i store cookies in sharedPreferences and setting it in ClientHttpRequestInterceptor.
Via logs new cookies are setting for new requests, but on server i get old cookies until i fully restart application.
Here is my JsonSpiceService:
http://pastebin.com/Wiaf6NkJ
Here is my activity where i set cookies:
http://pastebin.com/f5F0JCnd
Thank for your help.
After trying to fix this, i noticed that RoboSpice and Spring ignore setting of cookies after receiving set-cookie header. So, i send request that receives correct set-cookie header and fixed this issue.
If you're trying to request data from an API/Web Service how do you design the login process?
If it is sensitive data, do you send a login request to the server /w username+password, and receive a session-token or similar, or do you send username+password every request?
Assume you do get back a session-token. How do you get a fresh token, without asking the user to reenter their credentials. Do you save username+password on the device?
It is best to use client credentials flow of auth2:
show web page with login page
user enters username + password
page reloads and you get parameters from new page (auth code)
issue token request with auth code retrieved from previous step
save token with refresh token
use refresh token to obtain new token but remember that refresh tokens will have 'refresh_token'
value set to null so you will have to save refresh token retrieved
at the beginning to issue new tokens after they got too old (usually
3600s)
This: http://bshaffer.github.io/oauth2-server-php-docs/grant-types/client-credentials/ and this http://brentertainment.com/oauth2/ will make it easier to understand and implement
I am writing an Android app which submits a username and password to a Java Servlet hosted on Google App Engine. I am writing both the Android app. and Servlet.
The username and password are packaged into a POST request on the device and the servlet doPost() method checks the values. If the username and password are correct I request a session...creating it if it doesn't exist:
HttpSession session = request.getSession(true);
In this session I store a name value pair "logged" and "true".
Back on the android device a cookie is returned along with an HTTP status of 200 OK. This all seems fine, since the session on the server is implemented using cookies (transparent to me since I'm just using the session API).
All subsequent HTTP POSTs made by the android device package up the cookie into the HTTP POST so that it can request .jsp pages or use other servlets which inspect the session for the "logged and "true" value (i.e. protected pages).
The problem: A cookie is returned even if the following code is NOT run:
HttpSession session = request.getSession(true);
i.e. the username and password were false. This isn't such a security issue since the "logged" and "true" name value pair is never set so the application cannot use the .jsp or other servlets. However, I was using the fact that a cookie had been returned from the POST request to the device as a sign that authentication was successful.
Why am I getting a cookie even though I don't use or request the use of a session?
My current solution is to create an additional cookie in the servlet and check for this cookie on the device. HOWEVER, this cookie is not the one packaged into subsequent POSTS from the device since it is not the cookie associated with the session containing the "logged" "true" value. This seems hacky. Clearly I ave misunderstood something.
Most (or perhaps all) servlet containers will always assign a user a session cookie if they do not already have one, whether the webapp being served explicitly requests a session or not. Google App Engine is no different in this regard. You shouldn't assume anything based upon the mere existence or non-existence of a cookie other than that the device has made a request to the server and received some response back.
If you want to verify that the login was successful on the device, why not just send back a response to the login request that it can easily parse. For instance, a simple JSON-snippet like {"status": "success"} would do, or even just the literal text string "success".
Your second cookie approach definitely sounds a bit hacky. Presumably your authentication request is already sending some response back to the device (it has to be, if cookies are being sent). What do you feel that you gain from using a cookie that you don't get by just sending some status message back as part of the response?