I have a node js server and an android client. Basically I have two options for authentication: rest api + http basic or sessions. I prefer sessions, because storing user credentials to the memory of a phone doesn't seem like a good idea. Session id is temporary, so storing it would not be a security issue.
I've tried the following approach: On node js I'm using express-session middleware. On client side, session id is stored in variable SID. With every request, cookie "connect.sid=SID" is set. If response contains set-cookie, SID is set to match connect.sid. However, this approach does not work. I could however generate my own id and not use express at all.
Also, I don't understand browser behaviour with express sessions. I'm using https, if that makes any difference. It works fine, but first of all, all requests create 2 operations: one with OPTIONS method and the other with the actual operation. The response to options request returns set-cookie. In actual operation requests, cookie "connect.sid" is set. In every request the id is same BUT each set-cookie returned by the server has a different id and the id sent by the client does not match any of these ids. Could someone explain what's going on?
Authenticating to a server with a mobile application is a very common situation these days. What is the recommended way to handle it (without third parties)?
Could someone explain what's going on?
I suspect that your implementation of the cookie handling in the client-side (Android app) could be the cause of the problem.
I developed an Android app with node.js and I saw a similar problem using an RESTful API.
In my case, I used the Retrofit2 REST library. This library is based on OkHttp3 API for dealing with HTTP request/response. To solve my problem with cookies, I included the code showed in the answer https://stackoverflow.com/a/34886860/7183182, where the main pieces were the PersistentCookieStore implementation and the JavaNetCookieJar class. If you use the HttpURLConnection, the PersistentCookieStore implementation can be passed to CookieManager. The Android documentation shows how to use specific CookieStore implementations here and here.
Authenticating to a server with a mobile application is a very common situation these days. What is the recommended way to handle it (without third parties)?
I recommend use the OAuth solutions, where the API key (or access token) is stored in the client-side using SharedPreferences.
Session id transported through cookies is an solution, but it is problematic with native or hybrid mobile applications.
Related
I want to make an android app which will login to my web application using rest API. In browsers we have a concept of cookie which servers use to identify/maintain session with the users.
In Android how would we accomplish it ? I heard that there is a concept of token which is sent by server in response(first time when credentials are validated) and Android app have to send it to server every time it tries to access a resource(protected). So, what is the better way of doing it ?
Do we need to validate the token again and again when the client requests for a resource ?
Honestly, I can't think of a better way of doing this. Token based authentication seems to be pretty standard when dealing with RESTful APIs. Is there any reason you can't do that?
If you don't want to change the server code, then this could be simulated by adding a cookie header to every request you send. But this is basically the same thing that you mentioned above, just not as clean.
And the browser is already sending a token to be validated again and again. Every request has a cookie header that gets validated through your web application on every request, so this isn't a big deal at all.
And, you don't need anything Android specific to accomplish this. In whatever http library you're using I'm sure there is a method you can called or something you can override in order to set custom headers. Use that to set either your cookie header or token header on every request that you need to make.
(I'm asking this partly for learning purposes, I realize what I'm trying to do might be entirely wrong!)
I have a php file on my website that handles log in and sets a cookie for the user if log in is successful. if setcookie() fails, I error out instead of displaying the rest of the page.
When I try to access this page using my android app (which uses HttpURLConnection with POST), the setcookie() fails. I'm guessing this is because the client isn't a browser and can't handle cookies.
so first of all, is there away for my app to be able to receive cookies from the server and store them? if not, how do you handle maintaining a login session with the user so you dont have to send a username and password, every time you want to access data from the server?
THanks
A couple of notes before the workaround:
The function is called setcookie() not set_cookie()
Android browsers do support cookies afaik, so you probably should look into this further. Perhaps the format of your setcookie call is not valid?
If you can't use cookies, then the workaround is to simulate your own session mechanism by passing your cookie value as a url parameter on every request.
I have created an AppEngine connected Android application, and I'm trying to modify it to be able to store some user data on the server. I do not know what's the easiest way to do so, because I want it to be as simple as possible. I just want to store some basic data for every user. This data is: Name, Email, and some other Strings. I have created a form in the android side which will allow the user to type all the requested data, but I do not know how to send this information to the GAE server and store it in the datastore. I guess I will have to use a Servlet and some kind of RPC service to call the methods. I'm really lost because it is my first time doing this. I'm not experienced neither in android nor in web apps. I hope you can help me.
Update
Well, maybe I did not explain myself well. The system I've been asked to build consists on a web service that store your personal login credentials for most common sites (facebook, gmail, etc). Using a chrome extension, you ask the server for the credentials on the website you are navigating, and then the server asks to your phone for authorization. It will ask (do you give me permission to send your credentials to "some user"), and you have to ansewer yes or no and then the server will act in consequence. The point is that you have to store your credentials in the server in some way, maybe from the android app (which is what I was trying) or from somewhere else. I will also need authentication.
Pd: I use java for the server side.
Since you already started with AppEngine connected Android application, it makes sense to continue customizing it: App Engine Data Access: Adding Entities and RPC.
Update:
There are of course many ways to exchange data between client and server. The most simple would be a servlet handling GET and POST requests with some query parameters.
Also, most popoular lately is REST:
Android REST client: http://appfulcrum.com/2010/08/20/android-how-to-call-rest-service-using-asynctask/ (try using GSON instead to parse JSON)
Server: use a REST framework. My personal choice is RESTEasy. An example: http://ankiewsky.blogspot.com/2010/08/resteasy-on-googleappengine-corerest.html
Update 2:
The simplest possible way - making/handlin a simple POST request:
Android client - making POST request with parameters: http://www.androidsnippets.com/executing-a-http-post-request-with-httpclient
Server handling POST (or GET) and extracting parameters: http://www.exampledepot.com/egs/javax.servlet/GetReqParam.html
Find and follow thoroughly the Topic Index on this page. Gud luck
I've been doing some research and it seems my best option to go with an Android-Client/PHP-Server application is by using JsonRPC. My question is, How would an authentication mechanism work?
I'd use Zend for json server and Android-json-rpc as client. Or is there a better way to do a remote authentication?
If you want to do a simple API key then in every JSON call, the client would pass the auth key and in each method on the php side would get the key and authenticate it.
If you wanted to do session type authentication, you would have to first call an authenticate method that would return the session_id to the client. The client would then send the session key in every subsequent method. Within the methods, the server could then check the session key.
I have looked for a way to cleanly abstract authentication out of the actual json RPC methods, but if you use Zend_Json_Server directly, there is no way to do it. You may be able to extend it, but to me, it wasn't worth the hassle.
just like browser works . Browser also sends session id in every request using cookies . You can build the similar functionality with your java REST client by appending that id to every request .Then in php code you can do
session_id($_GET('session_id'));
session_start();
your rest client will send this session_id in every request to be identified. This way you can use php sessions just like with browsers.
I'm trying to get json data from a django view (login required)
into a new android app I'm working on.
I would like to authenticate the user against the django login
and keep the cookie/session for all the django view calls to
get data from the server.
I did some googling but nothing helped me,
even if I guess it should be a quite common task.
Maybe I'm facing the problem from a wrong point of view..
So I'll switch the question to:
how can I do some user authenticated json request/response to a django server?
Any clue?
You have to do as the website expects, and you need to persist the session cookie.
What I did is using XML-RPC to do all the transfers.
Not exactly sure if it's the best way, considering django's xml-rpc support is some kind of a hack.
Here's a very detailed XML-RPC handler for django:
https://code.djangoproject.com/wiki/XML-RPC
then, setup ur client end on android.
When communication is okay. Start writing server end API.
from django.contrib.auth import authenticate
and use this function to do authentication.
Then for sessionId stuff, you need to go to backend db to manually do them: https://docs.djangoproject.com/en/dev/topics/http/sessions/
as u can see, this is why I don't think it's the best way. You can't send httprequest, hence most django build-in functions doesn't work.