Not sure this is possible but...
What I would like to do is to use ASP.NET impersonation to authenticate a Flash app as a user in IIS so that the file dependencies related to the flash file ( XML config files, and PHP API calls ) are not anonymously accessible when users try to access them directly through the URL. So, instead of displaying the contents of an XML config file, it should tell the unauthenticated user they do not have permission to view the file.
Is this possible? Right now I'm looking into request headers and the settings in IIS for authentication.
So I found out how to use Basic Authentication through help posted here. The problem I'm running into is that even though the flash app sends the appropriate request. Which is handled fine in FF, Chrome, and Safari. It still displays the login pop-up box for Opera and IE. Does anyone know why IE and Opera behave differently with Basic Authentication?
Any help on this would be greatly appreciated.
use ASP.NET impersonation to authenticate a Flash app as a user in IIS
Assuming I understood your post correctly:
If your intent is to protect some file from unauthorized access, you should check if the solutions provided actually do so. Flash is a client side plug-in, and therefore its communication with the server (side) can be inspected using readily available tools (Safari/Chrome/IE developer tools, Firebug, etc). So if Flash is a "user" and you hard-code its authentication, it would be trivial to inspect that (http) request and "see" the data being passed....
On the other hand, if you are saying you want to incorporate a user login (each user will have to provide credentials) and then have that communicate with your server side authentication scheme then it would be fine (just like any other browser based login scheme).
Related
so my file does not work properly if it is on I.E <11 so I want to redirect the user to a chrome broswer and/or provide a hyperlink to take them to chrome if they are on I.E how would I do that?
A browser cannot launch any other applications on the machine.
I also agree with the suggestions to identify the browser and display the message that this version of the IE browser is not supported.
There are some ways like modifying the registry or by using the batch file or using the custom protocol handler to launch the Chrome browser but these are not the suitable solutions as you need to implement it on each machine.
So most suitable workaround is to inform the users of using the supported browsers by your web app.
Google no longer allowing embedded webviews as it is a disallowed_useragent for OAuth sign in. For most situations, this is completely fine and there is a workaround. However, I have run into a situation where this prevents websites from being able to use a web-server OAuth implementation.
The Issue:
Nginx PHP server running the Google PHP SDK, using their O-Auth implementation. This works fine on everything except embed browsers. Typically this is okay, however, if a user tries to sign up to our website in an app which uses an embedded browser, we get the disallowed_useragent error (See picture at bottom). This doesn't appear to be a problem in Android Facebook Messenger but can be replicated on the iPhone 7 Plus Facebook Messenger.
Current Research:
I tried to look for explicit workarounds. E.g. ways to force the link to open in the primary phone browser (e.g. Safari app) but all implementations point to app side fixes, which can't be done from a website.
Question:
How can I implement Google Oauth when some users may be using these embedded browsers, without making the user to take an extra manual action (e.g. Open in Safari/Chrome)?
This question is very opinion based but I will give you my opinion.
How should I implement Google Oauth when some users may be using these embedded browsers, without making the user to take an extra action?
You cant really. If someone is using an embedded browser in Facebook messenger (embedded browser) to open your auth link its not going to work. To my knowledge there is no way to force or over ride Facebook messenger or any other app that uses its own embedded browser. Again this is just my opinion but there are a lot of apps out which have started forcing their users to use these embedded browser's. One could question how secure they are and that it is better to use the real installed browser. Do you think this is why google has enabled this to begin with?
I would like to avoid going down the road of detecting the user-agent web-side and force the user to open the link in Safari.
I don't know that sounds like a pretty decent solution to me. It may feel a like over kill a little but if it works go with it.
There's another scenario that is causing issues.
If you have a web app - not a native app with an embedded browser - the user can always choose to put the shortcut to the HomeScreen in iOS.
But when they go to that HomeScreen shortcut to run the app, it will strip "Safari/6xx.x" from the user agent string.
Now, Google sees this as an "Embedded Browser" and denies access to OAuth.
So - "No Web-App-Capable" for you!
If you turn off this meta tag:
<meta name="apple-mobile-web-app-capable" content="yes"/>
two things happen in iOS:
The website now opens in the Safari browser window instead of the cleaner Web-App method.
The website uses the complete Safari useragent which will allow OAuth to work.
The real shame here is that the decisions of Google (To deny non-standard browsers to access OAuth) and Apple (To remove the Safari version in the user agent for homescreen shortcuts) have backed us into the corner where any site that could look really nice in web-app mode can't utilize this OAuth from google.
I've been trying to find a way to spoof the user agent to add the safari version into it so that everything works in homescreen web-apps, but I don't think I can make it work. It seems that safari doesn't allow you to change the navigator.userAgent and on top of that, I'm not sure how it would handle new popup windows in WebApp mode.
I have recently been developing twilio web application. My application can receive calls. This feature is OK. But When answer button is clicked, message pops up "localhost want to use microphone". I want to avoid this message. I want to answer call once when answer button is clicked without any messages. Is it possible? if possible how can I do it?
Twilio evangelist here.
The request to access local sytem devices is a security feature built into the browser. If your website is being loaded over HTTP then the browser will prompt the user for access every time they load the page. If the site is loaded over HTTPS, then most browsers will automatically remember the authorization or allow the use to specify they want the authorization remembered.
Hope that helps.
For security reasons, the browser won't allow using microphone without asking the user. Chrome can be only set to ask for permission or always deny.
You can set an exception for these rules, but it will only affect your own browser. Other users will still have to allow microphone access when they open your site.
I have a file in PHP receiving a POST from an Android application and it works correctly but it also works correctly if loaded from a browser. What would be the most correct and efficient way to prohibit this from happening?
Try testing for the user agent in the request $_SERVER["HTTP_USER_AGENT"]. With PHP you can use the get_browser() for more information given the user agent.
Note that any client could send fake a user agent, so this information is good hint, but as any user input, it must not be trusted completely.
If you own the Android application I would suggest sending a security token generated on the android app via HTTPS to your PHP app where it would be validated.
Add header while making the HTTP request.
e.g. Application Type
httppost.setHeader("Application-Type", "ANDROID");
This will differentiate between your calls and server may get to know if call is made from mobile with having this header while Browser doesn't.
Take a look at a page with phpinfo() on that from the android
You can check the Browser and OS, based on that you can chose what to do
I'm not sure if this is even possible, but I figured this was a great place to ask the question.
I'm using http://simpletest.org/en/browser_documentation.html PHP WebBrowser to test a wordpress site. What I'm doing is setting the login credentials to access the wordpress backend. I run a couple of test, but my question is in certain situations I want to transfer the session that the "SimpleTest PHP Web Browser" has running to client's browser. Aka... my browser.
So in a since I"m transferring the session from the server side test browser to a normal client browser. This "client browser" is the same browser that is literally running the SimpleTest script to begin with.
I'm wondering if I can transfer the header & cookies associated with the "SimpleTest PHP Web Browser" to my browser. What I'm thinking is to pull the data out using the SimpleTest PHP Library and then set that information to the client browser using Javascript.
Is this even possible? I feel like I'm missing some basic understanding of server side session authentication which would make this impossible.
Any ideas? I'm really curious!
Did you look at the Authentication documentation for SimpleTest?