I am using an android WebView to load a company page which requires a certain cookie.
Part of this page are several images which are generated via PHP script. This script is on the same site and also requires the same cookie.
I use the CookieSyncManager and CookieManager but I don't know how to prove that the correct cookies are used.
My problem is that the pictures are not shown. When I try to access the pictures separately I get a redirect to the login page ( which is standard for not authenticated requests )
Any ideas?
If you try on Android 4.4, you can use Dev Tools to inspect the network requests and check for the cookie. Prior to 4.4, you could try using tcpdump/wireshark to look at the requests. Alternatively, can you have the server log the cookies that are sent with the request and inspect them that way?
Related
I have a file in PHP receiving a POST from an Android application and it works correctly but it also works correctly if loaded from a browser. What would be the most correct and efficient way to prohibit this from happening?
Try testing for the user agent in the request $_SERVER["HTTP_USER_AGENT"]. With PHP you can use the get_browser() for more information given the user agent.
Note that any client could send fake a user agent, so this information is good hint, but as any user input, it must not be trusted completely.
If you own the Android application I would suggest sending a security token generated on the android app via HTTPS to your PHP app where it would be validated.
Add header while making the HTTP request.
e.g. Application Type
httppost.setHeader("Application-Type", "ANDROID");
This will differentiate between your calls and server may get to know if call is made from mobile with having this header while Browser doesn't.
Take a look at a page with phpinfo() on that from the android
You can check the Browser and OS, based on that you can chose what to do
Not sure this is possible but...
What I would like to do is to use ASP.NET impersonation to authenticate a Flash app as a user in IIS so that the file dependencies related to the flash file ( XML config files, and PHP API calls ) are not anonymously accessible when users try to access them directly through the URL. So, instead of displaying the contents of an XML config file, it should tell the unauthenticated user they do not have permission to view the file.
Is this possible? Right now I'm looking into request headers and the settings in IIS for authentication.
So I found out how to use Basic Authentication through help posted here. The problem I'm running into is that even though the flash app sends the appropriate request. Which is handled fine in FF, Chrome, and Safari. It still displays the login pop-up box for Opera and IE. Does anyone know why IE and Opera behave differently with Basic Authentication?
Any help on this would be greatly appreciated.
use ASP.NET impersonation to authenticate a Flash app as a user in IIS
Assuming I understood your post correctly:
If your intent is to protect some file from unauthorized access, you should check if the solutions provided actually do so. Flash is a client side plug-in, and therefore its communication with the server (side) can be inspected using readily available tools (Safari/Chrome/IE developer tools, Firebug, etc). So if Flash is a "user" and you hard-code its authentication, it would be trivial to inspect that (http) request and "see" the data being passed....
On the other hand, if you are saying you want to incorporate a user login (each user will have to provide credentials) and then have that communicate with your server side authentication scheme then it would be fine (just like any other browser based login scheme).
When the Facebook session expires with my App, I have to use the Javascript SDK to create a new session. This is hugely annoying as it appears to the user that they are logged out occasionally as I do most of the detection server side. And then, when they reload the page and the javascript has executed, the session is recreated.
I am aware that I can fix this quite simply by using javascript to show a message saying 'please reload the page' (much like StackOverflow), however, I do not want my users to have to do this. I accept that the PHP SDK cannot do it, but is there any sort of hack I can do to achieve it myself using PHP instead of Javascript?
Can anyone explain why the PHP cannot do this?
PHP is running on your server, which has nothing to do with Facebook's servers. Remember that cookies are locked to the originating domain. The cookie will appear to have been set by YOUR server, and have an originating domain of "yoursite.com", not "facebook.com".
JS, on the other hand, runs on the client, and any requests made to Facebook's servers will also obey any cookies set by the Facebook servers.
I have an app on my server which redirects to Facebook and thus displays the browser version of the Facebook Login page.
However, since I'll be accessing this through a mobile device, I'll want it to display the mobile version of the Facebook login page.
Is it possible to use the header() function or is there a way to change the user-agent on my host before it redirects to Facebook? So that Facebook will think the request is coming from a mobile device and thus render the mobile version.
I have already tried to use JavaScript and tried spoofing the header command; unfortunately these didn't work.
Thank you.
ini_set('user_agent', 'MyBrowser v42.0.4711');
Your server cannot affect the remote browser's configuration. The only place where you could change the user agent is if you were proxying the browser's requests to facebook, as it'd be your server connecting to FB, not the client.
Try redirecting to m.facebook.com instead. That displays a minimal "mobile" version.
so what i am trying to do is this:
login to the other server with a PHP on my own server (either with my username and pass/or with my cookies)
then have access to the page i want to display/download
i want to write a PHP script that is located on my own server, that automatically does a login to another server, that uses HTTPS and a web form for login.
after the login i have access to that page that i am trying to download.
i dont know if it would be possible to login and download the html only with the cookies that i have in my browser through a previous login, or if i need to do the login in my php script through some https login method.
can i do any of this with curl or fsocksopen or what would be the best way to realize this?
thanks in advance!
you just have to try. in most cases you should be fine if you export your cookies and use them in your curl request.
however the website mave hashed the cookies with the remote address, or given a timeout on them.
then you probably have to login from the server. with php / curl you can do that all.
the only thing that may be a problem is javascript/captcha codes.
in addition you should definately check zend http client, it has functionalities that makes "browsing" easy. for example saving cookies and automatically passing them on in the next request and also deleting them if the server tells you so etc.
Use the PEAR HTTP Request class.