Android: use session cookies for android app

Created on 24 Nov 2016  路  8Comments  路  Source: owncloud/android

Actual behaviour

android app ignores session cookies.

Expected behaviour

android should check for the session cookies so the access can be revoked fromm the server side.

Steps to reproduce

  1. create user test on server
  2. login with user on server
  3. login from android.
  4. on personal page on server look for active sessions
  5. android client is not shown in sessions overview.

Environment data

Android version: android 6

Device model:
moto g3
Stock or customized system:
cyanogenmod
ownCloud app version:
2.1.2
ownCloud server version:
9.1.2 expected to work from 9.1.0

approved by qa blue-ticket enhancement network
Source
picture JKawohl

Most helpful comment

@davivel awesome! Thank you. This should be fine for now. I think the proper way to do this in future with the token revocation will be better. For now this shoul do it.

picture JKawohl on 15 Dec 2016
🎉1 👍1

All 8 comments

@davivel as discussed

JKawohl picture JKawohl on 24 Nov 2016

@Kawohl , what do you mean with

expected to work from 9.1.0?

davivel picture davivel on 5 Dec 2016

@Kawohl Do you have a SFDC reference? SFDC: 00006538

michaelstingl picture michaelstingl on 5 Dec 2016

@davivel Sorry for the confusion. What i meant was that it you have this overview beginning from server version 9.1.
screen shot 2016-11-24 at 09 16 09
It would be awesome to be able to revoke the access with the session cookie.

JKawohl picture JKawohl on 5 Dec 2016
👍1

@Kawohl , I have a first solution.

But, it's limited.

With it we can see the sessions of the Android app in the list, and we can revoke them. BUT, since the app is storing the password in the device, as soon as the user makes another action in the mobile app, a new session is created.

To get a real revocation, the user will have to change the password in the web UI and then revoke the active sessions.

This is the same behaviour that the iOS app shows right now. I didn't test the desktop client.

Is this good enough for the moment? To get a direct revocation of the session without changing the password we need to change a lot of things in the app, too many if we want to release before Christmas. Besides, those changes match better with the next switch to token based authentication.

davivel picture davivel on 15 Dec 2016

@borjahawk , this is ready to test.

davivel picture davivel on 15 Dec 2016

@davivel awesome! Thank you. This should be fine for now. I think the proper way to do this in future with the token revocation will be better. For now this shoul do it.

JKawohl picture JKawohl on 15 Dec 2016
🎉1 👍1

QA Validated.

borjahawk picture borjahawk on 16 Dec 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Nowaker picture Nowaker  路  3Comments
jesmrec picture jesmrec  路  4Comments
davivel picture davivel  路  4Comments
mbrinkmann picture mbrinkmann  路  7Comments
davigonz picture davigonz  路  7Comments