I have a HTML5 web app using cookie for authentication. In iOS6 it face some problem receiving cookie from server that the outbound request will not have cookie inside header as before. I come up with idea to request session id from a http request, and put into some where (maybe NSHTTPCookieStorage?) and then all request from UIWebView will contain cookie, then most of the html5 code don't have to change..
Is it the correct way to go? if yes, how to implement this? thanks.
Related
I have a Ruby on Rails backend web application. I use iOS application as a web client (WKWebView) written in swift. The authentication token is stored as a session cookies variable on the backend:
session['token'] = generate_token
The problem is that accidentally this session variable is lost and the flow is redirected to login page.
The WKWebView is not closed, just used to process HTTP requests.
I'm not able to figure out, why this accidentally happens.
Since you are using just a webView and not default Safari browser meaning you are making your custom browser hence you are responsible to handle things like caching your token for the current session. My suggestion, if you want the token to be stored and used only once then create a variable something like
let accessToken = "your json web token"
Then pass it as a header when making a request to your server.
If you want to maintain access then you might want to save your token in keyChain or userDefaults depending on the level of security.
Navigation and other user interactions
As I mentioned, using wkwebView meaning you are making your own browser so you have to detect subsequent requests as the user interact with your web pages. For navigation, you have to use WKNavigationDelegate methods.
If WKNavigationDelegate does not solve your problem then you have to make use of Javascript events ie.. post an event when user visit a certain page and use WKScriptMessageHandler to respond to those events by passing the acess token etc..
Is there a way/browser for iOS to get a cookie, that is HttpOnly? I know its not accessible through JavaScript. But is there a way to read it through a plugin (e. g. Edit this cookie for Firefox)?
Or maybe there is an alternative browser app for this?
I've found an app called HTTP Catcher. It provides a local web proxy on the device itself, that captures all internet traffic. The http requests include all cookie information and meta fields.
In my application, I have a screen where user clicks different types of files to view and download them. However this screen is only accessible after user is logged in through web site.
I launch the Safari browser with my URL by using this method:
UIApplication.sharedApplication().openURL(NSURL(string: url)!)
However, the user is being redirected to login screen because he is not authorized to use the website yet.
My question is, how to pass cookies or headers to Safari and launch the URL with those?
You can't do that directly. openURL does just that, no more.
You need to pass required credentials in the URL. The target server may read them from the URL and then set desired cookies in the response.
If you implement that, make sure it can't be abused to set arbitrary cookies or perform session fixation attack. One way to implement that securely is to use one-time identifiers:
In the iOS app contact the server using a valid auth cookie and ask for a one-time long random key, which the server needs to store for a while.
Redirect user to URL with ?key=<that one-time key>
Make the server verify that the key matches and set cookies for the user, and delete the key.
Be careful with passing any secure data in the URL query as it's considered to be a security risk.
Some reasons are:
URLs are stored in web server logs
URLs are stored in the browser history
URLs are passed in Referrer headers
Reference: https://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/
I know it's not what you are looking for, but more secure solution would be to use session level cookies together with WKWebView. Check this SO answer for more information https://stackoverflow.com/a/26577303/14009088
I'm developing an app that logs into a HTTPS website. After authentication, the website sends a final cookie that is marked as 'Secure'.
The app works when I use defaultSessionConfiguration() for NSURLSession().
When I change one line in the app to use the backgroundSessionConfigurationWithIdentifier() then I can't proceed past the authentication stage. I do get a webpage showing that I am authenticated but subsequent requests return the login page.
It appears that the "authentication successful cookie" is not present in the shared cookie storage.
This cookie is the only cookie that the website marks as "Secure". Note that this HTTPS website does all it transactions via HTTPS.
TL;DR
What does the NSURLSession background session do differently from the default session to lose a Secure cookie??
EDIT: I've done some more work.
When NSURLSession redirects using the backgroundSessionConfiguration it appears to ignore cookies that were sent in the Header of the redirect? (I think the cookie being "Secure" may not be critical.)
The redirect works correctly when the defaultSessionConfiguration is specified.
It turns out that this is a known bug. Apple r. 16,852,027.
The backgroundSession is known to ignore new cookies on redirect. The solution is to use a defaultSession to get the cookies and then continue using backgroundSession.
See Apple Developer Forum post
I have an angular app that I need to redirect outside to a server side html page, so I thought I could just use a standard <a> tag with target='_self' to redirect the angular app to my server side page. This actually works fine, however, I have a rails backend that checks for auth token before serving up any content.
This requires a auth token to be sent in the header of the http request which I am setting in a cookie, and angular grabs automatically with the $http service for ajax requests, but I can't seem to get the same thing to happen on a standard link.
Can/How do you add an auth token to a normal link before it is sent off?
When the browser is making the HTTP request and not your JavaScript code, you cannot add a custom header with your token value. See Adding http headers to window.location.href in Angular app for a similar question.
However, if this value is already being sourced from a cookie, can your backend just read that cookie value (or use some filter in the http request chain to transfer the cookie to a header)?