I logged into my tornado backend from ios and sent back a secure_cookie and i noticed that i could also request other information as long as i validated the secure_cookie that i set. How long does NSURLConnection persist the cookie or will the cookie be deleted once they close the app?
This is mentioned in the Apple docs:
The URL loading system automatically sends any stored cookies
appropriate for an NSURLRequest. unless the request specifies not to
send cookies.
A few facets to your question.
To start with, NSURLConnection will, by default, manage cookies based on the settings for the device. It will save the cookies to the store and send them as appropriate (when the domain matches an existing cookie). This means if you make a request from a URL with a cookie saved in the cookie store, it will be sent. This explains the behavior you mentioned. Generally, with the default settings, the cookie will persist for quite a while.
This initial statement, however, maybe is not helpful for your needs. I am assuming you may want to have control over the expiration of (or keep around "forever") this secure_cookie field so your app does not have to authenticate further in the future.
In this case, NSHTTPCookieStorage is the place to look. This class will allow you to both retrieve:
[[NSHTTPCookieStorage sharedHTTPCookieStorage] cookiesForURL:[NSURL URLWithString:#"http://example.com"]]
and set:
[[NSHTTPCookieStorage sharedHTTPCookieStorage] setCookie:cookie] (plus setting up the cookie dictionary object)
Based on experience and the feedback of others online, you should note that the cookie storage is not always 100% reliable. If you would like to be sending a specific cookie and value to the server, you should store that value with your app (prefs or Core Data, for example), and reset the cookie with the appropriate NSHTTPCookieStorage at each startup.
You have to look into the cookie cache management from here
This will help you to better understand how the caching for cookie is handled.
There is another very good description, where it's mentioned that you can get the cookie from headers fields and then you have full control of it. If you want, store and use when application launched again.
I hope this should help you to solve it.
Related
In my application, I have a screen where user clicks different types of files to view and download them. However this screen is only accessible after user is logged in through web site.
I launch the Safari browser with my URL by using this method:
UIApplication.sharedApplication().openURL(NSURL(string: url)!)
However, the user is being redirected to login screen because he is not authorized to use the website yet.
My question is, how to pass cookies or headers to Safari and launch the URL with those?
You can't do that directly. openURL does just that, no more.
You need to pass required credentials in the URL. The target server may read them from the URL and then set desired cookies in the response.
If you implement that, make sure it can't be abused to set arbitrary cookies or perform session fixation attack. One way to implement that securely is to use one-time identifiers:
In the iOS app contact the server using a valid auth cookie and ask for a one-time long random key, which the server needs to store for a while.
Redirect user to URL with ?key=<that one-time key>
Make the server verify that the key matches and set cookies for the user, and delete the key.
Be careful with passing any secure data in the URL query as it's considered to be a security risk.
Some reasons are:
URLs are stored in web server logs
URLs are stored in the browser history
URLs are passed in Referrer headers
Reference: https://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/
I know it's not what you are looking for, but more secure solution would be to use session level cookies together with WKWebView. Check this SO answer for more information https://stackoverflow.com/a/26577303/14009088
I'm developing an app that logs into a HTTPS website. After authentication, the website sends a final cookie that is marked as 'Secure'.
The app works when I use defaultSessionConfiguration() for NSURLSession().
When I change one line in the app to use the backgroundSessionConfigurationWithIdentifier() then I can't proceed past the authentication stage. I do get a webpage showing that I am authenticated but subsequent requests return the login page.
It appears that the "authentication successful cookie" is not present in the shared cookie storage.
This cookie is the only cookie that the website marks as "Secure". Note that this HTTPS website does all it transactions via HTTPS.
TL;DR
What does the NSURLSession background session do differently from the default session to lose a Secure cookie??
EDIT: I've done some more work.
When NSURLSession redirects using the backgroundSessionConfiguration it appears to ignore cookies that were sent in the Header of the redirect? (I think the cookie being "Secure" may not be critical.)
The redirect works correctly when the defaultSessionConfiguration is specified.
It turns out that this is a known bug. Apple r. 16,852,027.
The backgroundSession is known to ignore new cookies on redirect. The solution is to use a defaultSession to get the cookies and then continue using backgroundSession.
See Apple Developer Forum post
We used to store session with action record and now is moving it to cookies store in Rails 4. We understand that with cookies store, all session data is stored in client side cookies besides secret token and plan to only store ids in session. Here are a few questions:
After a user logs out, are all session data (for example, user_id and user_group_id) still preserved in client cookies for next login?
If a user is assigned a new user_group_id for example, will the old user_group_id stored in client cookies still prevail and blow off the app with user next login? There are online posts talking about app blow-off when session object gets changed on server but can not be updated accordingly on client side (unless change of secret token).
Besides to 4kb size limit and ids (session) only with cookie store, are there other things (or disadvantage) to consider when moving session from db to cookies store?
Here is the low down on cookie store. First off, everything in a cookie is there permanently once it's set or until the user deletes the cookie manually somehow. This means, that if you set user_id and user_group_id, it's there for good in the cookie until updated or deleted. This is different from a session since the session is like ram on a computer, once the browser is closed, the session closes with it as well as all of it's data.
So, this means that when you log out your user, you need to specify that their cookie empties anything you don't wan't it to have. When your user logs in, you set anything that you want the user to have while they are logged in. So, since the session and cookie are separate things completely, they never interact together unless you choose to make them. So your session will never dump its self into the cookie store unless you make it do that.
Every time your users go to your site, you could have a single handshake that makes sure that the cookie matches the db if necessary. Otherwise, you could have differing data what only gets updated on login or what not and without the handshake, the user would have to keep logging in to make sure they are still valid which defeats the purpose of having a cookie in the first place.
The downside of client side cookie storage is security concerns. Depending on how you use the cookie to store data, a person could hijack somebodies cookie on your site and pretend they are them. This can be avoided by careful design, but just assume that whatever is in your cookie store is fair game to everybody so use it carefully and for only non secret data.
Hope this helps!
I am trying to implement Omniauth. I would like to store user's login information from a third party (like Facebook email) to session temporarily, like:
session[:email] = auth.email
Will this information be automatically passed to client?
I know that session ID will be passed to client, but not sure if it is the case for other objects in session.
Thank you.
This depends on what session store you have selected. If you have selected cookie as the session store, it will put all session data in the cookie, which would involve sending it to the client. Otherwise, it just stores the key in the cookie, since that is all that is needed to identify the user and get their session data.
The data you put into the session hash will be stored on client side, but it will be encrypted using your secret_token. If you want to see what's in your session, you can grab the session data out of your browser, then do:
Marshal.load(Base64.decode64(session_data))
The above will show you exactly what you're storing in the browser's session.
In rails it will generate a session_id if properly set up session configuraions, then after rendering the web page the seesion_id will store on client with cookie; however if the cookie value is changed by client before sending request to web server, how rails to check the change? Now i can not find any clues for rails to check the change, if it doesn't to check and the changed seesion_id is existed in web server session store, other session's data will be dispalyed for the current browser user.
If someone is clear on the question can you explain it for me? thank you in advance.
The cookie is cryptographically signed. See:
https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/cookies.rb
Note that signing the cookie doesn't mean the same thing as encrypting it. The user can see the contents of their session with a bit of fiddling but can't alter it without breaking the signature.
If you want to hide the contents of your sessions from your user, don't use the cookie store.