I'm using Python2.7 And Django==1.7 on the ServerSide and Cordova==5.3.3 for Mobile ClientSide.
In ClientSide, I've used cookie-base authentication in iOS properly but seemingly Android doesn't support cookies for Cordova based on the documentation.
As you know i can access user's sessionId via cookie in django as below:
def login(self, request, **kwargs):
user = request.user
But in this case maybe i need to access cookie manually because of Cordova limitation.
So my questions are:
Is the any way to access cookie header in Cordova-Android?
If there is not, Whats the best way to get sessionId instead of set-cookie header? custom header or get parameters?
And finally whats the best way to get and validate sessionId manually from session_table of django for current user?
Thanks.
Related
I am using Django as my backend for my android app. I have been handling post request using #csrf-exempt annotation with my views as I wasn't able to deal with csrf verification while sending post request from android(VOLLEY LIBRARY).
Now, I have to use django.contrib.auth login and logout methods but sessions aren't working when I am sending post request from android.
I had tried enabling cookies with my request in android but that also didn't work(enabling cookies also did not solve the csrf verification failed issue).Also I tried taking csrf token from a GET request to django( django.middleware.csrf - get_token) and then passing that csrf token in headers(X-CSRF-TOKEN)in my post requests, that also didn't work.
Code that I used to enable cookies in android:
CookieManager manager = new CookieManager();
CookieHandler.setDefault(manager);
So,
1. I don't know how to use django scripts without using #csrf-exempt from android.
2. and how to use django login with android
Here is a generic response on using django as a backend: Is it possible to develop the back-end of a native mobile app using the python powered framework Django?
More specifically this is normally done with a JWT - json web token: http://www.django-rest-framework.org/api-guide/authentication/#django-rest-auth
I'm sure other rest/ api frameworks exist but I normally use DRF.
Here is an example with a tutorial: Authentication with android app in a django server
I want to parse the web service in Android/iOS, Which is
written in SAP, but not able to do that. Can I do this ? and How?
When I hit the request on browser I get this popup and after entering the valid details here then only i get the JSON response, But how to get this done in mobile development?
Thank you..
Add Authorization header to your request
Authorization: Basic <Base64of Username:Password>
For quick check, you can generate auth header here
You can try using PostMan chrome plugin to generate request and play with different set of input data.
I'm working on an android apps. I am using ionic framework. In some pages I need to get data from a web server and the result is an object json.
My problem is if some one arrives to GET the pages where I get the json data, one can fetch all my database data by changing the http request.
Is there any way that can improve security of my apps?
You should make some kind of authentication mechanism, for example, a token in the header, that way you know wether the user has access to that resource or not.
So when you make your request you can generate a configuration for that particular request.
Example:
var url = "http://yourserver.com/api/your/path";
var config = {
"headers": {
"Authorization": "Bearer someBearerFromTheServer"
}
};
$http.get(url, config);
The backend implementation for this to work depends on the language you use. Here google is your best friend.
A more advanced way to do this, is to use interceptors in the $http service and attach the token to the header in every request, but be careful, you should secure this so you won't send your credentials to every request you make (sometimes your app might need to request data from another server).
You can read more about $http services and its configurations in the $http service documentation.
Regards
Hello all i am making an android app in whiich i have multiple account login at a time now my question is that i for multiple logins i should use sessions to verify every account user that is logged in. Now i am using express on the server side i have read a lot of documentation on storing sessions in node.js
Express-session (Though it is only good for development but not for production but not for my app)
Cookie-session
connect-Redis
connect-mongo
I have also heard about json web tokens where i can generate unique tokens and then i can pass the tokens to the client using res.json({user_id:"user1", token: "generated_token here"})
I have also heard about passport but dont know how it is going to do this also as in passport i use express-session by default will it be good for production or not ??
Now my first question is i have read all of there docs and nowhere it is mentioned where i am creating unique tokens for every user that is signing up.
Second question as i am using my server for android app there will be no use of cookie i will be sending user token as in parameter req.body.token now how to cmpare this with current user_id.
Actually i dont get the flow of control i mean how everything is going on in session in node.js. Also what is this secret is this thing generating unique tokens or what. Also i mean about 100000 of users are registered for my app now please tell me accordingly which way should i use for my app.
I have asked this question previously but there i did not mention that as i am not making a website how to do this(As in my case there will be no use of tokens)
I know this question i am asking is very vague but please bear with me i just want to understand how sessions are used in node.js
Thanks Anways
I'll try to answer this, but it is vague (as you pointed out). I'm going to make an assumption that your Android app is a native Android app and is going to be connecting to some sort of NodeJS backend in the cloud that is based on ExpressJS. If that's not the case, please clarify your thoughts in an update to your question.
The best idea for this specific scenario is to look to the cloud provide. Azure App Service Mobile Apps, for example, allows you to implement authentication - it eventually returns a JSON Web Token (http://jwt.io) to authenticate each request.
If you don't want to be beholden to a cloud provider, but want to run it yourself, you are going to have to implement the token generation and checking yourself. This generally follows the form:
Set up a WebAPI endpoint (maybe /signin) which takes whatever token the identity provider gives you, verifies the information and returns a JWT - there is an NPM module (jsonwebtoken) for producing the JWT. Ensure the JWT includes the identity of your user. I tend to use email address for the identity.
Your Android application will do a WebAPI request to your backend with an Authorization header, the value of which is "Bearer "
Your NodeJS API will use JWT authorization to validate the JWT and extract the user identity so you can use it in your API logic.
The important thing to note in this specific scenario is that your backend code is implementing a WebAPI - there are no cookies nor sessions in the API. The only thing that is linking the user from the client code to the backend code is the JWT.
As a short piece of code, here is how you verify a JWT:
var express = require('express');
var app = express();
var jwt = require('express-jwt');
var jwtCheck = jwt({
secret: new Buffer('your-jwt-secret', 'base64'),
audience: 'your-jwt-audience'
});
app.get('/api/protected', jwtCheck, (req, res) => {
// Your code here
});
app.listen(process.env.PORT || 3000);
I'm building an native Android app with Worklight 6.0.0.1 and having trouble connecting to our production Worklight Server.
The server is fronted by a DataPower appliance that handles authentication and requires us to send a particular cookie on any call to the Worklight Server.
We tried using addGlobalHeader("Cookie", "cookie-name=cookievalue") to set this cookie, but found that using this API does not play nicely with the cookies that Worklight itself uses to manage it's session.
The cookie header is properly set for the initial request to Worklight, and Worklight responds with a challenge and sets JSESSIONID and WL_PERSISTENT_COOKIE.
Then, when the Android API answers this challenge we see 2 cookie headers being sent in the follow-up request which violates norms for http headers.
Cookie: JSESSIONID=<...>;WL_PERSISTENT_COOKIE=<...>
Cookie:
Oddly, if I go through a TCPMon proxy to inspect the traffic, I can connect successfully, but if I go directly against the DataPower address, it doesn't see the header and fails to reach Worklight.
What is the correct way to inject a cookie so my cookie goes into a single cookie header along with all of the other cookies that Worklight wants?
Add global header will add headers, it was not designed for cookies. If you need to set cookies I'd suggest trying Android's CookieStore. Create you cookie with all the relevant params (value/url/expiry etc) and add it to CookieStore
http://developer.android.com/reference/org/apache/http/client/CookieStore.html