I'm trying to avoid that when a user has connected to Facebook from my webview, the next time he do it, doesn't need to put the email and password. I'm getting the cookie from the "facebook.com" domain with this sentence:
String cookie = CookieManager.getInstance().getCookie("facebook.com");
and storing it in a SQLite database. When the user try to connect another time to Facebook, I use this sentence after removing all another cookies:
CookieManager.getInstance().setCookie("facebook.com", user_acc.getSessionCookie());
but doesn't work. That cookie I suppose that is not valid because the user has to put his username and his password again and after login, I get a different cookie that the one I had stored.
What I'm doing wrong? Is there another way to accomplish that?
Thank you in advance.
I think you can't do this via cookie because this cookie is valid for only that session and as soon as user logout that cookie expires though you are storing that cookie in your database for facebook that cookie was never created that is why it is asking user name pwd again. I think best way is to click remember password
I think this will solve your problem this is announced today check if this can work http://techcrunch.com/2010/11/03/facebook-single-sign-on/
Well, I've found the solution. If I get all the cookies doesn't work, but if only get the m_user cookie all works fine.
Thank you Parry for your answers.
Regards.
Related
I got a question about security for my simple REST API application.
I implemented check for security and on every attempt to read/update data from/in database (this is a simple HttpSession session= request.getSession(true); and check - if this is a new session or old and if it equals session id fro cookies).
But the thing is - even if this is a valid user and valid session - I got an URL which make a user to ignore other user:
http://localhost:8080/ChatRest/rest/FriendService/ignoreFriend/1/2
I could change 2 users id (last 2 numbers) and send the same request to make other system user to ignore somebody else, for example: http://localhost:8080/ChatRest/rest/FriendService/ignoreFriend/3/4
How can I solve this problem?
I googled a lot (for example - RESTful Authentication and related articles, including security questions). But what is the easiest way to solve this problem? I quite a beginner, so I'll be happy to find the simpliest solutions.
Thank you!
Any authentication mechanism allows you to handle this, provided that users don't share the same credentials. Even with Basic AUTH, you'll be able to determine who authenticated.
If the logged in user is id=1, then he can perform http://localhost:8080/ChatRest/rest/FriendService/ignoreFriend/1/2, but he can't ignore people for any other id. In fact, since you get the user id from the database, you don't even need the first parameter. It would be ignoreFriend/2, meaning "I want to ignore the person whose id I'm giving as a parameter".
i would like to have a discussing with you about a login pattern and ask for your input.
Especially my idea is used for a Androird Applicaion
PHP -> Native Android with AsyncHttpClient -> Activity
I dont need help for the authentication or the login procedure itself. Just about the process afterwards, if a user is already authenticated.
Imaging your having one Activity in Andriod with Login fields, thats refers after a right Login to another ShowData-Activity.
The Cookie of the Weberver (Apache + PHP) is stored in the SharedPreferences.
If the user is coming back to the application but is still logged in, as his PHPSessionID is still valid, how can we bypass the login Activity and redirect directly to the Data-Activity.
Should there be a second cookie that stores something like "logged_in", "true"
and the Android APP then checks
Pseudocode:
(If logged_in-cookie == true) { Start data-activity}
Or should there be another call to a site on the webserver that returns a true value?
Pseudo:
If(webseite_response==true){redirect to data activity}
Im not sure about the Best practise even under a security point of view.
Even if the user session is not active, someone could just send an "true" to the Andorid application, and then the user would be in the Data-Activity (even if no data is showed there)
Looking forward to your answers.
Best regards
Fabian
I would suggest storing two values in the shared preference
1)a boolean for the logged in status
2)the cookie
The during app startup,check if logged in status is true,if true you can then verify the cookie.If the cookie is valid,proceed,if its not valid,display the login interface.
Seems like a very nice and easy solution.
Just have a look at Facebook SDK for android and see how they have implemented the authentication mechanism. It should help.
https://developers.facebook.com/docs/android/
I'm developing an app that uses OAuth to authenticate.
The problem is that when I try to get the access_token from facebook with passport.js (node.js) I get something different that when I try to get it with Scribe on Android. Is there any reason?
When I try with twitter the access token are the same and I can match users....
Thanks!
Unless I misinterpreted the question, you can use the "id" field in the response from FB to detect whether its the same user or not (regardless of which API/language you end up using). These IDs are unique per user and should allow you to detect whether the same user logged on via Android (Scribe) or passport.js (node). Hope it helps
I need to implement a simple remember me option in a java servlet with cookies, without using any advanced framework.
First, at login, I create the cookie and send it in response to the browser (client). The value to be stored in the cookie is just a simple hash from username + password.
How should I manage the incoming request from the browser, sending the cookie?
My approach is to check between registered users if there is any user that has the hash from username + password equal to the value in the cookie?
Is this approach correct?
Also, I did not understand exactly what is the mechanism of the expiration date. Does the browser delete the cookie when it is expired, it not, how do I check if the cookie is expired?
As long as you're not using HTTPS the method you suggest is highly insecure. I would suggest to generate some sort of session token (e.g. use java.util.UUID.randomUUID()) and set this as cookie and store it somewhere on the server side so you later can identify the user associated with this session id in the cookie.
This gives you the opportunity to reset a certain session cookie if you think there's some fraud happening and there's no direct relation between the user name/password and the cookie id you use. But note: this method is still vulnerable to a man-in-the-middle attack.
Concerning the expiration: yes the cookie becomes invalid and might get deleted by the browser if it is expired. But you can set the cookie to something in the year 3000, so it lives forever.
Java EE.
Ok, JSP form handed to servlet username and password. Username and password is vaild.
How i can AUTHenticate the user?
Thanks for help.
Here is the tutorial:
http://download.oracle.com/javaee/6/tutorial/doc/bncas.html
Don't reinvent the wheel - especially not security, as it is hard enough to get it right even when using existing frameworks.
I don't know what exacly problem you have. Try this steps:
Submit your form in HTTP GET to your LoginServlet
Get Login
Get Password
If Login && Password are correct create some UserObject and call httpRequest.getSession() which get user http session. Then put this object to your created session.
To check if user is logged you check if userObject exists in session
If you will have problems try attached your current sources.