I have a web app that uses a cookie as an access token (to let users stay logged in after refreshing/closing the site/app). It works perfectly on desktop but when I try to use it on my Android phone (installing it via Chrome), for some reason it says that I'm not logged in which means it wasn't able to load the access token.
Why is this happening? Is there a difference between how cookies are handled in the browser and when starting a PWA as a standalone?
Also two little side questions, 1, is there a way to debug a PWA that's added to the homescreen (using some sort of remote debugger) and 2, would it be a security risk to use localStorage for storing the access token instead of a cookie? I realize neither is particularly safe but I read that cookies are slightly better for this sort of thing. localStorage works just fine when starting as a standalone
Related
Pretty stuck with this one. I'm using Auth0's SPA-JS SDK and it works perfectly for the most part, but on mobile when I refresh the page it logs me out.
I get the error that says "login required", but no such error when on the desktop. On the desktop, I can refresh the page as much as I want with no issue.
I am not using the dev keys anymore for my social signups, and the issue occurs on email signup as well, so I don't think dev keys are the issue either.
Thanks.
Are you using the mobile browser (eg Chrome / Safari)?
Or a mobile webview?
The latter case will always give you a private browser session where cookies and session storage are both aggressively dropped.
If you're not using the mobile browser then the other scenarios require more work. Logins via some form of the system browser work best.
Also are you using local storage of OAuth 2.0 tokens?
- if so try switching to session storage - could be related to cookies dropped due to a missing user gesture - eg Intelligent Tracking Protection
This questions is related to this other one I posted a few days ago:
Instagram oAuth Authentication postMessage issue only with Mobile Browsers
Pretty much the issue I have is that when logging in my app with Instagram Chrome will behave inconsistently (on Android) and cause me some problems.
As I say in that other thread, IG authentication will reply with the required token and data to authenticate the user in my app.
It will do this by replying with a script that sends that data back to the original window, using window.opener.postMessage().
When I run my app on Chrome in Incognito mode, window.opener.postMessage will work without any issue since only one tab is opened and the reference to the opener isn't lost.
However, when I run this on the same browser but in regular mode (like probably 90% of people will) the behaviour is different.
Chrome will open a tab, close it and open a new one to input auth data. However, window.opener here won't work because the opener reference has been lost (is now null).
How come the same browser, on the same device will have such a different behaviour between two modes?
Does anybody know why this happens and how to prevent this from happening?
I think that browsers store user authentificaton ids and passwords in cookies. If this is always true i don't know if they all share the same folder on systems where to stores these cookies.
My specific problem lies on mobiles OS (currently iOS and soon Android). i think browsers bahviour would be the same on any system (the same on mobile or pc)
I'm developping an app with Titanium which has a module for dealing with cookies but i don't know where to find the facebook cookie on user's system nor how to access it.
Any solution with javascript is also good for me.
Can someone tells us if this is possible to do and how ?
I am working on a very old web application(only for intranet usage). In the code, the developer is obtaining the logged in account via this
var wshNetwork = new ActiveXObject("WScript.Network");
document.getElementById('userId').value = wshNetwork.UserName;
This works only in IE. How can I get the logged in account in Firefox/chrome?
I have looked in to other thread (ex: Finding the currently logged in user from a Firefox extension) but that's only for extension.
Are there any other ways to get the domain logged in username in Firefox/Chrome?
No, this is severely security-sensitive information - the main attack vector for compromising your computer. In IE it also only works for trusted websites such as localhost, or with special configuration for the local network - never on internet without additional configuration. Sandboxed JS will never be able to access this information - extensions are considered elevated.
This is something that I would do on server side. Providing you're using IIS, I would set the page to be using only Windows Authentication, read the current user on server side, and send it back to client via hidden field or javascript variable.
We have developed an ASP.NET MVC 4/Web API single page, mobile website (also using jQuery Mobile) that is intended to be accessed only from mobile devices (e.g., iPads, iPhones, Android tables and phones, etc.), not desktop browsers. This mobile website will be hosted internally, like an intranet site. However, since we’re accessing it from mobile devices, we can’t use Windows authentication. We still need to know which user (and their role) is logging in to the mobile website app.
We tried simply using ASP.NET’s forms authentication and membership provider, but couldn’t get it working exactly the way we wanted. What we need is for the user to be prompted for a user name and password only on the first time they access the site on their mobile device. After they enter a correct user name and password and have been authenticated once, each subsequent time they access the site they should just go right in. They shouldn’t have to re-enter their credentials (i.e., something needs to be saved locally to each device to identify the user after the first time).
This is where we had troubles. Everything worked as expected the first time. That is, the user was prompted to enter a user name and password, and, after doing that, was authenticated and allowed into the site. The problem is every time after the browser was closed on the mobile device, the device and user were not know and the user had to re-enter user name and password.
We tried lots of things too. We tried setting persistent cookies in JavaScript. No good. The cookies weren’t there to be read the second time. We tried manually setting persistent cookies from ASP.NET. No good. We, of course, used FormsAuthentication.SetAuthCookie(model.UserName, true); as part of the form authentication framework. No good. We tried using HTML5 local storage. No good. No matter what we tried, if the user was on a mobile device, they would have to log in every single time. (Note: we’ve tried on an iPad and iPhone running both iOS 5.1 and 6.0, with Safari configure to allow cookies, and we’ve tried on Android 2.3.4.)
Is there some trick to getting a scenario like this working?
Or, do we have to write some sort of custom authentication mechanism? If so, how? And, what?
Or, should we use something like claims-based authentication and WIF?
Or???
Any help is appreciated.
Thanks!
try adding .browser file as discussed here:
http://www.simonantony.net/knowledge-base/articles/browsing-your-site-on-an-iphone-using-chrome-does-not-work/
I know it says chrome, but i've accountered this problem with safari also.