If you mimic the same http traffic that a browser would generate, then of course you will get all the normal web2py functionality such as the session.
The web2py session is usually stored in the database which means it can store a large amount of data without the size limits of cookie storage. And it will persist between requests. On Friday, January 4, 2013 6:19:14 PM UTC-6, Mark Li wrote: > > Would it be necessary to connect to the same web2py session? > > To my understanding, connecting to the same session would be necessary if > the session contained Auth information indicating whether or not a user was > logged in. However, using auth.login_bare(), I only return a token on login > success, and the Auth information is never stored in session. Only the > token would be used to check whether or not a user was authenticated, as > this info is not stored in session. > > The login/authentication from Android would only be used for API calls, > and not for browsing the site. In the 'tokens' table, there would be > information about the user that would be similar to the Auth info stored in > session. When the token is passed to web2py, it would return the same > information that would normally be stored in session about the user. > > Thanks again for your help and checking my logic, I'm still pretty new to > this! > > On Thursday, January 3, 2013 7:57:45 PM UTC-8, dlypka wrote: >> >> But are you reconnecting to the same web2py session on each request? >> >> On Thursday, January 3, 2013 3:20:01 PM UTC-6, Mark Li wrote: >>> >>> I reviewed your code again and looked into the source code for web2py to >>> see how web2py deals with session login cookies. >>> >>> For what I want to accomplish, I believe I have found a method which >>> does not involved changing web2py source code. It's simpler and more >>> straight forward for me to wrap my head around (also not having to worry >>> about storing cookies in the app). Please let me know if there's anything >>> important I am missing or security flaws that I should consider. >>> >>> >>> 1. Embed webview into native Android app, using auth.login_bare to >>> authenticate. >>> 2. On login success, return a token of similar format to web2py's >>> session cookies. >>> 3. Store this token in the database (in a table named 'tokens'), and >>> send back to Android app as a cookie >>> 4. For every request to my web service that requires authentication, >>> send the token as a cookie and have the receiving API controller function >>> extract the cookie/token. If the token is currently in the db.tokens, then >>> the user has been authenticated and the request returns the appropriate >>> data. >>> 5. On logout/password change, delete the issued tokens for this user >>> from db.tokens, so the same token can't be used to authenticate for future >>> api calls. >>> >>> On Tuesday, January 1, 2013 10:33:26 PM UTC-8, dlypka wrote: >>>> >>>> I was not precisely calling from a native Android or native IOS app. >>>> I was using a PhoneGap client, which is different. It is looks like a >>>> web browser but is not a browser client. >>>> PhoneGap can only use HTML5 storage unless you write a native Android / >>>> IOS PhoneGap extension/plugin. >>>> So my technique will work from almost any client platform, even from a >>>> Windows native client app for example >>>> as long as it uses HTTP. >>>> >>>> Also, in my tracing of how web2py handles the client connection, I >>>> believe I found a few wrinkles in the sequence of events >>>> which needed to be handled specially in this case where the client is >>>> not a web browser. >>>> >>>> In your particular case, if you have cookies in the native client, then >>>> that is one less problem to solve, >>>> You probably just have to mimic the HTTP messages that a browser would >>>> send. >>>> >>>> On Tuesday, January 1, 2013 5:19:50 PM UTC-6, Mark Li wrote: >>>>> >>>>> Thanks for the responses, and Happy New Years to you guys too! >>>>> >>>>> dlypka, for your cookieless solution, it assumes that the client app >>>>> can't store/extract tokens? In the Google Android link above, it says >>>>> that >>>>> both Android and iOS can read and extract the tokens/cookies. So when the >>>>> Android app calls the Web2py app, wouldn't it just pass in the >>>>> cookie/token >>>>> and have Web2py verify it as it Web2py normally verifies session login >>>>> cookies? >>>>> >>>>> >>>>> >>>>> On Tuesday, January 1, 2013 9:07:16 AM UTC-8, Massimo Di Pierro wrote: >>>>>> >>>>>> :-) >>>>>> >>>>>> >>>>>> >>>>>> On Tuesday, 1 January 2013 10:45:47 UTC-6, dlypka wrote: >>>>>>> >>>>>>> Yes it is my New Year's Resolution to make time to put it in a Slice. >>>>>>> >>>>>>> On Tuesday, January 1, 2013 10:35:49 AM UTC-6, Massimo Di Pierro >>>>>>> wrote: >>>>>>>> >>>>>>>> Perhaps this should go in a web2pyslice? >>>>>>>> >>>>>>>> On Monday, 31 December 2012 21:28:04 UTC-6, dlypka wrote: >>>>>>>>> >>>>>>>>> I developed a solution for this. >>>>>>>>> I posted it here: >>>>>>>>> >>>>>>>>> https://groups.google.com/forum/?fromgroups=#!topic/web2py/YVYQHRJmcos >>>>>>>>> >>>>>>>>> Happy New Year! >>>>>>>>> >>>>>>>>> >>>>>>>>> On Monday, December 31, 2012 4:38:40 PM UTC-6, Mark Li wrote: >>>>>>>>>> >>>>>>>>>> I am currently trying to authenticate users on an Android app to >>>>>>>>>> my Web2py application. I am not comfortable implementing this on my >>>>>>>>>> own >>>>>>>>>> without some guidance/advice, as I'm worried about the security of >>>>>>>>>> the >>>>>>>>>> login information becoming jeopardized. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I am following the guideline for authentication outlined by >>>>>>>>>> Google here: >>>>>>>>>> https://developers.google.com/accounts/docs/MobileApps >>>>>>>>>> >>>>>>>>>> Another outline of what how I'm trying to accomplish >>>>>>>>>> Authentication outlined here: >>>>>>>>>> http://stackoverflow.com/questions/7358715/authentication-model-for-android-application >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> The first step, and my question, is how I would generate a token >>>>>>>>>> to return to the Android app after the user has successfully logged >>>>>>>>>> in. It >>>>>>>>>> is suggested that this token be in the same format to what Web2py >>>>>>>>>> uses for >>>>>>>>>> session login cookies, except with a 'mobile' flag indicating the >>>>>>>>>> token can >>>>>>>>>> only be used for API calls, and doesn't have the short lifespan of a >>>>>>>>>> browser session. >>>>>>>>>> >>>>>>>>>> Any help would be greatly appreciated, as I haven't read too much >>>>>>>>>> about authentication to web2py from an Android app. >>>>>>>>>> >>>>>>>>> --
