I reviewed your code again and looked into the source code for web2py to see how web2py deals with session login cookies.
For what I want to accomplish, I believe I have found a method which does not involved changing web2py source code. It's simpler and more straight forward for me to wrap my head around (also not having to worry about storing cookies in the app). Please let me know if there's anything important I am missing or security flaws that I should consider. 1. Embed webview into native Android app, using auth.login_bare to authenticate. 2. On login success, return a token of similar format to web2py's session cookies. 3. Store this token in the database (in a table named 'tokens'), and send back to Android app as a cookie 4. For every request to my web service that requires authentication, send the token as a cookie and have the receiving API controller function extract the cookie/token. If the token is currently in the db.tokens, then the user has been authenticated and the request returns the appropriate data. 5. On logout/password change, delete the issued tokens for this user from db.tokens, so the same token can't be used to authenticate for future api calls. On Tuesday, January 1, 2013 10:33:26 PM UTC-8, dlypka wrote: > > I was not precisely calling from a native Android or native IOS app. > I was using a PhoneGap client, which is different. It is looks like a web > browser but is not a browser client. > PhoneGap can only use HTML5 storage unless you write a native Android / > IOS PhoneGap extension/plugin. > So my technique will work from almost any client platform, even from a > Windows native client app for example > as long as it uses HTTP. > > Also, in my tracing of how web2py handles the client connection, I believe > I found a few wrinkles in the sequence of events > which needed to be handled specially in this case where the client is not > a web browser. > > In your particular case, if you have cookies in the native client, then > that is one less problem to solve, > You probably just have to mimic the HTTP messages that a browser would > send. > > On Tuesday, January 1, 2013 5:19:50 PM UTC-6, Mark Li wrote: >> >> Thanks for the responses, and Happy New Years to you guys too! >> >> dlypka, for your cookieless solution, it assumes that the client app >> can't store/extract tokens? In the Google Android link above, it says that >> both Android and iOS can read and extract the tokens/cookies. So when the >> Android app calls the Web2py app, wouldn't it just pass in the cookie/token >> and have Web2py verify it as it Web2py normally verifies session login >> cookies? >> >> >> >> On Tuesday, January 1, 2013 9:07:16 AM UTC-8, Massimo Di Pierro wrote: >>> >>> :-) >>> >>> >>> >>> On Tuesday, 1 January 2013 10:45:47 UTC-6, dlypka wrote: >>>> >>>> Yes it is my New Year's Resolution to make time to put it in a Slice. >>>> >>>> On Tuesday, January 1, 2013 10:35:49 AM UTC-6, Massimo Di Pierro wrote: >>>>> >>>>> Perhaps this should go in a web2pyslice? >>>>> >>>>> On Monday, 31 December 2012 21:28:04 UTC-6, dlypka wrote: >>>>>> >>>>>> I developed a solution for this. >>>>>> I posted it here: >>>>>> https://groups.google.com/forum/?fromgroups=#!topic/web2py/YVYQHRJmcos >>>>>> >>>>>> Happy New Year! >>>>>> >>>>>> >>>>>> On Monday, December 31, 2012 4:38:40 PM UTC-6, Mark Li wrote: >>>>>>> >>>>>>> I am currently trying to authenticate users on an Android app to my >>>>>>> Web2py application. I am not comfortable implementing this on my own >>>>>>> without some guidance/advice, as I'm worried about the security of the >>>>>>> login information becoming jeopardized. >>>>>>> >>>>>>> >>>>>>> I am following the guideline for authentication outlined by Google >>>>>>> here: https://developers.google.com/accounts/docs/MobileApps >>>>>>> >>>>>>> Another outline of what how I'm trying to accomplish Authentication >>>>>>> outlined here: >>>>>>> http://stackoverflow.com/questions/7358715/authentication-model-for-android-application >>>>>>> >>>>>>> >>>>>>> The first step, and my question, is how I would generate a token to >>>>>>> return to the Android app after the user has successfully logged in. It >>>>>>> is >>>>>>> suggested that this token be in the same format to what Web2py uses for >>>>>>> session login cookies, except with a 'mobile' flag indicating the token >>>>>>> can >>>>>>> only be used for API calls, and doesn't have the short lifespan of a >>>>>>> browser session. >>>>>>> >>>>>>> Any help would be greatly appreciated, as I haven't read too much >>>>>>> about authentication to web2py from an Android app. >>>>>>> >>>>>> --
