Android WebView Authentication bug.....

TomKieronskiTomKieronski AUUniversity ✭✭

Hi All

I am having an issue that is based in Android and the way basic authentication is cached "somehow" inside the webview operations.

Related links include:

http://stackoverflow.com/questions/4338915/android-webview-reset-http-session

http://stackoverflow.com/questions/7166760/clearing-users-facebook-session-in-webview

http://stackoverflow.com/questions/8034645/delete-data-in-the-browser

http://stackoverflow.com/questions/5404274/make-android-webview-not-store-cookies-or-passwords

http://stackoverflow.com/questions/1652850/android-webview-cookie-problem

http://stackoverflow.com/questions/2465432/android-webview-completely-clear-the-cache

https://code.google.com/p/android/issues/detail?id=22272 – this describes other people reporting this very issue

So what I have done is:

I have an activity that calls activity that contains only webview as per below XML:

<?xml version="1.0" encoding="utf-8"?>
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
    android:orientation="vertical"
    android:layout_width="fill_parent"
    android:layout_height="fill_parent"
    android:minWidth="25px"
    android:minHeight="25px"
    android:id="@+id/layoutContainer" />

In this activities create method I tried various ways of clearing username and password from basic authentication but no matter what I do it always uses the very first username and password that app had used when it launched. The code for OnCreate:

            protected override void OnCreate(Bundle bundle)
            {
                base.OnCreate(bundle);

                // Create your application here
                SetContentView(Resource.Layout.fridgeWebView);

                localWebView =   new WebView(this);//FindViewById<WebView>(Resource.Id.webViewFridge);
                //SetContentView(this.localWebView);

                ActionBar.Hide();
                Android.Content.Res.Resources res = this.Resources;

                username = Intent.GetStringExtra("username") ?? "";
                password = Intent.GetStringExtra("password") ?? "";

                client = new MyWebViewClient(this);
                localWebView.SetWebViewClient(client);
                client.username = username;
                client.password = password;
                //WebViewDatabase.GetInstance(this).ClearHttpAuthUsernamePassword();
                WebViewDatabase.GetInstance(this).ClearHttpAuthUsernamePassword();
                WebViewDatabase.GetInstance(this).ClearUsernamePassword();
                WebViewDatabase.GetInstance(this).ClearFormData();

                string urlSTR = res.GetString(Resource.String.eapi_url) + "/family-fridge-readonly";
                //byte[] up = Encoding.UTF8.GetBytes(username + ":" + password);
                //string sec = System.Convert.ToBase64String(up);

                //URL url = new URL(urlSTR);
                //HttpURLConnection connection = (HttpURLConnection)url.OpenConnection();
                //connection.RequestMethod = "GET";
                //connection.SetRequestProperty("Authorization", String.Format("Basic {0}", sec));

                //CookieSyncManager.CreateInstance(this);
                //Android.Webkit.CookieManager cookieManager = Android.Webkit.CookieManager.Instance;
                //cookieManager.RemoveAllCookie();
                //cookieManager.SetAcceptCookie(false);

                tmpSTR = urlSTR.Replace("http://", "").Replace("https://", "");
                // this is to check if the username and password is indeed already there 
                // it never is as you would expect
                string[] det = localWebView.GetHttpAuthUsernamePassword(tmpSTR.Substring(0, tmpSTR.IndexOf("/")), "");
                localWebView.Settings.SetSupportMultipleWindows(false);
                localWebView.Settings.LoadWithOverviewMode = true;
                localWebView.Settings.UseWideViewPort = true;
                localWebView.Settings.JavaScriptEnabled = true;
                localWebView.Settings.SetSupportZoom(true);
                localWebView.Settings.BuiltInZoomControls = true;

                localWebView.LoadUrl(urlSTR);
            }

Please ignore various code that does not make sens as this is work in progress code - I try to check for any username and password, and try to clear any and every cache I can get my hands on but so far nothing works in my app as I always use the very first username and password that the webview used to access the web service/page.

I have implemented the WebViewClient as outlined in Google docs (and Xamarin forum at https://forums.xamarin.com/discussion/30191/http-basic-authentication) and its code is:

    class MyWebViewClient : WebViewClient
    {
        public string username { get; set; }
        public string password { get; set; }

        webViewFridge _activity;
        public HttpAuthHandler _handler { get; set; }

        public MyWebViewClient(webViewFridge activity)
        {
            _activity = activity;
        }

        public void Closeall()
        {
           // _handler.Dispose();
        }

        public override void OnReceivedLoginRequest(WebView view, string realm, string account, string args)
        {
            base.OnReceivedLoginRequest(view, realm, account, args);
        }

        public override void OnPageStarted(WebView view, string url, Android.Graphics.Bitmap favicon)
        {
            base.OnPageStarted(view, url, favicon);
            AndHUD.Shared.Show(_activity, "Loading", -1, MaskType.Clear);
        }

        public override void OnPageFinished(WebView view, string url)
        {
            base.OnPageFinished(view, url);
            AndHUD.Shared.Dismiss(_activity);
        }

        public override void OnReceivedHttpAuthRequest(WebView view, HttpAuthHandler handler, string host, string realm)
        {
            //string[] userDetails = view.GetHttpAuthUsernamePassword(host, realm);
            //if (userDetails != null)
            //{
            //    if (userDetails.Count() == 2)
            //    {
            handler.Proceed(username, password);
            //    }
            //}
        }

Please note how I have overridden the username and password to be supplied every time the webview does the OnReceivedHttpAuthRequest - well it only gets called once - ever until the app is stopped and restarted. This seems to indicate that somewhere the session/cache/webview/I have no idea what or who is storing the username and password and using it - as the server gets the username and password supplied.

I mentioned session here because I have tried to find way to kill session from the server side using a logout call but that too did not work for me as the server said -yes you're logged out - yes you now loggin as the user first supplied to the app and not as the one currently supplied in the OnCreate.

So here I am. Two weeks or wrecking my head against this issue with what seems to be many reporting to have come across it in the Android world but none so far that have worked out how to clear the username and password each time the activity gets loaded.

Many thanks

Tom

Answers

  • TomKieronskiTomKieronski AUUniversity ✭✭

    It's been a long time I guess nobody has this issue or nobody had been able to solve it?

  • I'm seeing this as well when doing basic auth. I can load the page fine in the browser, but the webview gets a 401 - full authentication is required to access this resource

  • TomKieronskiTomKieronski AUUniversity ✭✭

    What is even more frustrating that there are random phones that do not seem to have this issue. This has been confirmed by others. It does seem that Google just messed something up in the core allowing variants such as Samsung for one to have this issue. I found it surprising though that on Motorola the problem exists also. I can't believe that nobody knows a way around or how to correct this that they are willing to share.

    Anyway

    happy New Year to All!

  • RemiRRemiR FRMember
    edited February 2016

    Any news ?

  • TomKieronskiTomKieronski AUUniversity ✭✭

    Sadly no. Still a problem still trying various random ways around the issue.

  • PiotrWlodekPiotrWlodek USUniversity

    I can confirm the issue exists and still was not able to find a reliable way to get around it.

  • Hello, were you able to finally resolve this issue? I also have the same problem.

  • TomKieronskiTomKieronski AUUniversity ✭✭

    I have since found that this problem is in the OS itself. Thus it works on some devices and not on others depending on how it is changed by the manufacturers. Have not found any way to make it work across the board.

Sign In or Register to comment.