Is there anyway cache login credentials for automatic login functionality.
In addition , i used html5 and jquery-mobile
One option, We use localStorage in html5 to save the access credendtials for our webapps/phonegap. At page startup we check if we are logged in, if not send the access credentials to server in background and become logged in. All this is only if user enables 'remember me'.
We are using pure javascript, so other options might exist within jquery as well as elsewhere.
Side note, this should be seen as a low security option depending on how/what you save to the phone, anyone who can physically get hold of the phone could extract the credentials.
Related
I want to open, from an iOS app, a web page that requires authentication in order to get to that page.
I googled a little bit and I believe I need to use WebKit and Javascript injection, but I am not sure and I have never done something like this, so every bit of information is welcomed or pointing me in the right direction.
I will give an example that I hope will make things more clear(I don't actually want to open facebook, it's just part of the example):
Is it possible to do the following scenario? And if yes, how?
Open a web page from an iOS app, for example: "https://www.facebook.com/profile" without having to go through the login page? I do have the user credentials(username and password), as the user is already logged in with those credentials in the iOS app, but the requirement is to not go through the login page, but to go straight to the profile page.
In general the answer is: no. Even if the user is already logged in and has a valid authentication token that token may only be valid from within your app and not from within the browser. And the login form may be protected by something like a captche preventing you from automatically logging someone in.
There certainly are situation where it is possible: For example if the tokens are not scoped to your app you can try passing them along. Or there is an actual API that you can call with the token that logs the user into the website on the website, etc. But those depend on the specific target website or wether you can control that target website and can add this functionality.
I'm developing an internal app that will leverage our corporate Google Drive accounts and will be used on shared devices (iPads shared among teachers and students at school sites).
Is there a way to force GIDSignIn to require a password with each sign-in attempt? Right now, even after calling GIDSIgnIn.sharedInstance().signOut() (or GIDSignIn.sharedInstacne().disconnect()) the user doesn't need to enter their password the next time they access the app. That means, when the device is taken by the next user, they could very easily access the other user's account.
Am I missing something? Do I need to somehow clear the cookies store in the UIWebView that the GIDSignIn process uses?
Where available, the GIDSignIn login process uses a SFSafariViewController, not a UIWebView. It leverages the cookies (as well as passwords) stored in Safari, for a quicker login.
I don't think you would be able to clear such cookies. You should be able to force a Google log out, though, by opening https://www.google.com/accounts/Logout in an SFSafariViewController, though the interaction with the rest of your app may be a bit weird. See Logout link with return URL (OAuth) for a way to provide a return URL which you may try to use to control the process (you'll need to use an URL scheme to return, though).
Note that iOS may prompt to save login information, and then provide said login information to subsequent users. You'll need to disable that in Settings -> Safari -> AutoFill
There may be other ways of achieving it via configuration of the device, but iOS is not really designed for multiple users at the moment.
The new MVC5 web application templates are pretty nice. All you need to do is uncomment UseGoogleAuthentication() and you can log in using your google account. This works fine.
My question is with regards to the login-logout-login cycle. For instance, If I want to test my application with a different google accounts this currently does not work out of the box.
When you log-out it only drops the application cookie but google happily assumes that you want to stay logged-in and when you press google login it will use the account you've previously chosen and skip the account selection process.
As I understand it OWINs AuthenticationManager.SignOut is supposed to revoke the external cookie as well as the application cookie but this does not seem to be happening. bug or feature?
I'm aware of the prompt parameter (see this question) to force the behaviour however I don't want to force the prompt every time someone hits the app, only when you log-off and back on again.
Any chance for a simple solution? Seems strange that this is not supported.
I've searched around and there doesn't seem to be a non-hacky way to clear the user credentials from the browser using basic authentication.
I'm building a WebAPI with an HTML client that accepts username/password - if the user logs in, they should certainly be able to log out as well, or the system should automatically log out after a certain time period.
Is there any standard way to accomplish this with Basic Auth (over SSL), or should I start looking into other forms of authentication?
Edit: looking into the SimpleMembershipProvider, would there be anything "wrong" with extending the Membership table with an "IsLoggedIn" property that I can toggle and check with every request? If they click logout, then I redirect to the login page and return 401 Unauthorized unless they submit their credentials again. Does this sound ok?
No. Until the time the browser is closed, credentials are cached by the browser. There is no non-hacky way to clear the credentials. Check this out.
I have a need to set some context via Safari (a context token), and then read that context from a native iOS app. What are the best practices for doing this?
A couple thoughts so far:
Set the context in an HTML 5 database, but I'm not sure this will work because the database might be only accessible from Safari. Would using a WebUIView in the native app allow me to access the same HTML5 database / local storage as Safari?
Set the context in device storage, but I'm not sure this will work because I don't know if Safari can actually write to device storage.
I would suggest one of these two options:
Let the web server keep track on the user both in the app and on the website, for example by creating a user account.
or
Pass the context token to the app immediately via an URL-scheme by registering your app as a protocol handler, see more info here
Suggested way:
Send e-mail with link and context token, when user clicks link, save context token in cookie in safari, then redirect to appstore for app download.
When the user downloaded the app and opens it, present a button for the user, when the user clicks it, open a web page in safari.
Safari loads the cookie with the context token, and then triggers another link using a URL-scheme like yourAppName://contextToken=12345678. The link opens your app which reads the context token from the URL.
There is no best practice for directly sharing data between safari and a native app directly and that it is simply not intended that you should do that. All cookies and storages are sandboxed for each app and safari has its own sandbox.
Letting your server doing the job via user accounts is the best and clean way i.m.o. That is why you have user accounts. If you didn't try out the protocol handler for reading specific URLs, that could also be made handy I think.
Could you have the app hit a URL on first launch hosted by server which is redirecting the user in safari, and compare IP addresses, time, iOS version, etc to get at least an approximate match? If an approximate match is insufficient, you could, when you see an approximate match, have your app open safari to confirm their identify via cookie.
It’s easy to send messages between a UIWebView and your native up using WebViewJavascriptBridge.
In your case, though, the accepted answer’s suggestion of using a custom URL scheme (directly from email to app, post-install) makes the most sense.