I'm using AFNetworking to sign in using basic auth. There is a java session identifier (jsessionid) assigned and stored in a cookie. How can I store that cookie and use it when loading a WKWebView (or SafariViewController although I don't think that's possible, but I'd love to be wrong).
Related
I currently use Spring Oauth 2 framework for authentication and authorization. When i google on what is the best way to store the access token and refresh token, i was recommended to store the access token in memory such as a variable and store the refresh token in a secured HttpOnly cookie. This was working fine until i faced a new issue.
I opened a new tab next to the tab where i was already logged in, now the problem is instead of directly going into the application, the login page was presented. I now again enter my username and password and login into the second tab without any issues.
But when i do logout from the 2nd tab, both first and second tab gets logged out since the refresh token cookie is shared but the access token which is not shared between tabs since its stored in a variable.
I was expecting following results
When i do a login into my second tab, i expect the session to be separate. The reason i'm setting the refresh token in cookies instead of storing it in a variable like access token because there are multiple applications hosted in the same domain to implement SSO concept. When an another application is clicked instead of routing it to a login page, i just get a new access token for the application using the refresh token that is stored in the http only cookie
I was told the only solution is to store the access token in localstorage or normal cookies so that i can also share the access token between tabs but it seems to be not a secure way as the token being can be stolen using XSS attack.
Hoping for a optimal solution. BTW when the user logsout, the invalidate both the access and refresh token from my JDBC token store
Sounds like you need to decide what type of Web UI you want. Trying to mix and match these concepts does not work well, as you are discovering:
Either your Web UI is a cookieless Single Page Application
Or your Web UI routes all data requests via a web back end using an Auth cookie
TOKEN SCOPE
Generally tokens are private per browser tab and auth cookies are not, as you realise. Using tokens in the Web UI will give you better control of usability aspects.
SPA COOKIELESS MODEL
This gives you independent sessions per browser tab, but requires you to use a library such as oidc client to implement logins client side. You can then store an access token in memory. Token refresh is done via silent iframe redirects and not via refresh tokens.
SPA COOKIELESS COMPONENTS
In this model:
Spring Boot's role would be to host REST APIs
The Web UI would not use Java at all
The Web Back End would be just static content
For a bit more background, and how to implement login / token management in Javascript, see these posts of mine:
SPA Goals
Tutorial + Code Sample
NO WEB UI OPTION IS PERFECT
They all have annoyances and sometimes it depends what your stakeholders most care about.
I am building an express server that will be used with an iOS native mobile client.Users of the app will be able to form "parties" with other users, and users within the same party will be able to communicate to each other via socket.io.
I want to enable sessions so that 1) I can have persistent login on my frontend and 2) store user.party_id inside a session, so that for a particular user I always have access to his party. If the user leaves a party, then req.session.party_id will be set to null.
Is is possible to use express-session with a native mobile client? I would assume so, and that all the client has to do is set a cookie header on each request. The server then reads the cookie id, and has access to the user session. Are there any drawbacks to using a session with native mobile clients?
Are there any drawbacks to this approach? Someone suggested that instead I set a JWT as an Authorization header, and on each request, use that header to lookup the user and party_id. This approach seems to be a reinvention of a session.
Check out Swift: How to remember cookies for further http requests for info on how to save a cookie/session cookie.
As to JWT vs. session cookies, they do serve similar purposes. JWT is more widely used today as it enables you to have multiple servers that handle API requests (i.e. horizontal scaling or serverless architectures) and are more fault tolerant (i.e. still work even if the server restarts). Depending on your needs, it might be worth looking at JWTs.
Is there any way to use localstorage instead of cookies when dealing with passport.js oauth implementations (such as google, twitter or facebook) for persistence login?
The reason is quite simple: you can't use cookies in native apps wrappers like node-webkit or atom shell.
Thanks!
In my iOS app I have my user authenticate against our Domino server and store the username and password. I have some web pages that I want the user to see and am loading them in a UIWebView. However, every time I try to go to the page I am being challenged for authentication. I think I need to send a post to the server with my username and password but I am not sure how to do that?
I've never done that with iOS, so take this with a grain of salt, but I think there are generally two ways to do it:
You can likely pass the UN/password combination along as HTTP Basic authentication in each request. I believe it's the case that Domino will honor those credentials even when session auth is enabled.
If you're using session auth, you can do what you intimate: POST to a Domino URL containing the ?Login command (typically, "/names.nsf?Login" is a good choice) with Username and Password parameters (along the lines of How can I login to Domino via Ajax? ). The resultant value of a successful login will contain an authentication token cookie (typically DomAuthSessId or LtpaToken, depending on whether or not you're using SSO). By including that in the Cookie header in future requests, you should be able to continue the login.
Note on Facebook’s secure cookie format
In their new secure cookie format, Facebook provides an OAuth code, which Koala
automatically exchanges for an access token. Because this involves
a call to Facebook’s
servers, you should consider storing the user’s access token in their
session and only
calling get_user_info_from_cookies when necessary (access_token not present, you discover
it’s expired, etc.). Otherwise, you’ll be calling out to Facebook
each time the user loads a
page, slowing down your site. (As we figure out best practices for this, we’ll update this
wiki.)
Let me get this straight: even if I use the Javascript SDK to parse
the cookies I still need to do a server-to-server call to facebook? Doesn't this make the whole java script SDK for user authentication kind of useless? I always need to check the cookies (so I won't have a stale access token) thus calling facebook every time?
What this quote is talking about is lightening the load on Ruby by not re-validating the OAuth token with a key exchange btwn Ruby and FB every call.
So, you can save the token in session/db/your own cookie/etc. or you can have FB's JS SDK revalidate it and pass it to you as part of your request.