But are you reconnecting to the same web2py session on each request? On Thursday, January 3, 2013 3:20:01 PM UTC-6, Mark Li wrote: > > I reviewed your code again and looked into the source code for web2py to > see how web2py deals with session login cookies. > > For what I want to accomplish, I believe I have found a method which does > not involved changing web2py source code. It's simpler and more straight > forward for me to wrap my head around (also not having to worry about > storing cookies in the app). Please let me know if there's anything > important I am missing or security flaws that I should consider. > > > 1. Embed webview into native Android app, using auth.login_bare to > authenticate. > 2. On login success, return a token of similar format to web2py's session > cookies. > 3. Store this token in the database (in a table named 'tokens'), and send > back to Android app as a cookie > 4. For every request to my web service that requires authentication, send > the token as a cookie and have the receiving API controller function > extract the cookie/token. If the token is currently in the db.tokens, then > the user has been authenticated and the request returns the appropriate > data. > 5. On logout/password change, delete the issued tokens for this user from > db.tokens, so the same token can't be used to authenticate for future api > calls. > > On Tuesday, January 1, 2013 10:33:26 PM UTC-8, dlypka wrote: >> >> I was not precisely calling from a native Android or native IOS app. >> I was using a PhoneGap client, which is different. It is looks like a web >> browser but is not a browser client. >> PhoneGap can only use HTML5 storage unless you write a native Android / >> IOS PhoneGap extension/plugin. >> So my technique will work from almost any client platform, even from a >> Windows native client app for example >> as long as it uses HTTP. >> >> Also, in my tracing of how web2py handles the client connection, I >> believe I found a few wrinkles in the sequence of events >> which needed to be handled specially in this case where the client is not >> a web browser. >> >> In your particular case, if you have cookies in the native client, then >> that is one less problem to solve, >> You probably just have to mimic the HTTP messages that a browser would >> send. >> >> On Tuesday, January 1, 2013 5:19:50 PM UTC-6, Mark Li wrote: >>> >>> Thanks for the responses, and Happy New Years to you guys too! >>> >>> dlypka, for your cookieless solution, it assumes that the client app >>> can't store/extract tokens? In the Google Android link above, it says that >>> both Android and iOS can read and extract the tokens/cookies. So when the >>> Android app calls the Web2py app, wouldn't it just pass in the cookie/token >>> and have Web2py verify it as it Web2py normally verifies session login >>> cookies? >>> >>> >>> >>> On Tuesday, January 1, 2013 9:07:16 AM UTC-8, Massimo Di Pierro wrote: >>>> >>>> :-) >>>> >>>> >>>> >>>> On Tuesday, 1 January 2013 10:45:47 UTC-6, dlypka wrote: >>>>> >>>>> Yes it is my New Year's Resolution to make time to put it in a Slice. >>>>> >>>>> On Tuesday, January 1, 2013 10:35:49 AM UTC-6, Massimo Di Pierro wrote: >>>>>> >>>>>> Perhaps this should go in a web2pyslice? >>>>>> >>>>>> On Monday, 31 December 2012 21:28:04 UTC-6, dlypka wrote: >>>>>>> >>>>>>> I developed a solution for this. >>>>>>> I posted it here: >>>>>>> >>>>>>> https://groups.google.com/forum/?fromgroups=#!topic/web2py/YVYQHRJmcos >>>>>>> >>>>>>> Happy New Year! >>>>>>> >>>>>>> >>>>>>> On Monday, December 31, 2012 4:38:40 PM UTC-6, Mark Li wrote: >>>>>>>> >>>>>>>> I am currently trying to authenticate users on an Android app to my >>>>>>>> Web2py application. I am not comfortable implementing this on my own >>>>>>>> without some guidance/advice, as I'm worried about the security of the >>>>>>>> login information becoming jeopardized. >>>>>>>> >>>>>>>> >>>>>>>> I am following the guideline for authentication outlined by Google >>>>>>>> here: https://developers.google.com/accounts/docs/MobileApps >>>>>>>> >>>>>>>> Another outline of what how I'm trying to accomplish Authentication >>>>>>>> outlined here: >>>>>>>> http://stackoverflow.com/questions/7358715/authentication-model-for-android-application >>>>>>>> >>>>>>>> >>>>>>>> The first step, and my question, is how I would generate a token to >>>>>>>> return to the Android app after the user has successfully logged in. >>>>>>>> It is >>>>>>>> suggested that this token be in the same format to what Web2py uses >>>>>>>> for >>>>>>>> session login cookies, except with a 'mobile' flag indicating the >>>>>>>> token can >>>>>>>> only be used for API calls, and doesn't have the short lifespan of a >>>>>>>> browser session. >>>>>>>> >>>>>>>> Any help would be greatly appreciated, as I haven't read too much >>>>>>>> about authentication to web2py from an Android app. >>>>>>>> >>>>>>>
--
