tags:

views:

448

answers:

1
Q: 

Android: log into website and preserve session/cookie using DefaultHttpClient

Hi,

I've been through different tutorials and this website, but couldn't find a proper solution. On the other hand, I've seen apps logging into websites and requesting further information, so I'm sure there's a way to get this working, but maybe my approach is all wrong.

Here's what I'm trying to do: I want to log into a website that needs user authentication and then read and parse websites that are only accessible if the user is logged in. The problem: after POSTing the credentials to the website, I receive a cookie which doesn't seem to be preserved in my HttpClient, even though the docs suggest that exactly that should happen.

Here's some of my code:

DefaultHttpClient httpclient = new DefaultHttpClient();
HttpPost httpost = new HttpPost(LOGIN_URL);

List<NameValuePair> nvps = new ArrayList<NameValuePair>();
nvps.add(new BasicNameValuePair(USER_FIELD, login));
nvps.add(new BasicNameValuePair(PASS_FIELD, pw));
nvps.add(new BasicNameValuePair(REMEMBERME, "on"));

httpost.setEntity(new UrlEncodedFormEntity(nvps, HTTP.UTF_8));

HttpResponse response = httpclient.execute(httpost);
HttpEntity entity = response.getEntity();

if (entity != null) {
  entity.consumeContent();
}

List<Cookie> cookies = httpclient.getCookieStore().getCookies();

When I output the contents of "cookies", everything seems fine (I receive a session):

- [version: 0][name: ASP.NET_SessionId][value: xxx][domain: xxx][path: /][expiry: null]

As I understood, the cookie/session will be preserved and used in my HttpClient as long as I don't close it.

When reading the next page (which is restricted), using this code:

HttpGet httpget2 = new HttpGet(RESTRICTED_URL);
response = httpclient.execute(httpget2);
entity = response.getEntity();
InputStream data = entity.getContent();
// data will be parsed here
if (entity != null) {
    entity.consumeContent();
}
// connection will be closed afterwards

If I output the response of the GET-request (using response.getStatusLine()) I get a "200 OK" message, but parsing the site that is returned shows, that the login is lost (I only retrieve a login form).

Any help is appreciated.

+1  A: 

Assuming your httpclient object is the same in both cases, and assuming the RESTRICTED_URL is in the same domain as the LOGIN_URL, then I would think what you have should work.

You might wish to use Wireshark or a proxy or something to examine the HTTP requests you are making, to see if the cookie is actually being attached to the request. It may be that the cookie is being attached, in which case there is something else wrong that is causing your second request to fail.

CommonsWare  2010-08-08 15:09:55
`httpclient` is the same for all requests and the URLs are both on the same domain (both without SSL). I'll try Wireshark to find out what is being sent, thanks for the hint.
Select0r  2010-08-08 18:34:09
I've tried it: the cookie is attached to the second (GET) request and I receive a "302 Found"-message which will show the login screen.
Select0r  2010-08-08 19:11:15
@Select0r: sounds like something else is then wrong with that second request (e.g., server is expecting a `Referer:` header).
CommonsWare  2010-08-08 19:39:52
Sounds reasonable, thanks. I'll use Wireshark to analyze the traffic when I login to the website using a browser and get back here as soon as I find out the differences.
Select0r  2010-08-09 08:21:31
That didn't help, unfortunately, I'll have to investigate further. I think it's possible that the domain I'm trying to login to uses a more complicated mechanism, so I'll try my script with a test-script on another server first.
Select0r  2010-08-09 20:28:15

related questions

What is typically the length of your optimal coding session?
What's the most current, good practice, and easiest way to use sessions in PHP?
What can cause an ASP.NET worker process to be recycled?
How do I explicitly set asp.net sessions to ONLY expire on closing the browser or explicit logou?
session variable mixup in ASP.NET?
In Classic asp, can I store a database connection in the Session object?
What are the advantages and disadvantages of the Session Façade Core J2EE Pattern?
Different values of GetHashCode for inproc and stateserver session variables
Best way for allowing subdomain session cookies using Tomcat
Is there a way to specify a different session store with Tomcat?
PHP: $_SESSION - What are the pros and cons of storing temporarily used data in the $_SESSION variable
What is the best way to handle sessions for a PHP site on multiple hosts?
How much data can/should you store in a users session object?
ASP.Net Session_Start event not firing
Logging image downloads
ASP.Net: If I have the Session ID, Can I get the Session object?
Secure session cookies in ASP.NET over HTTPS
Django Sessions
Can I put an ASP.Net session ID in a hidden form field?
Always including the user in the django template context
Rails - recovering database from Production.log
Most efficient way to get data from the database to session
What is the best way to prevent session hijacking?
FOSS ASP.Net Session Replication Solution?
How do I best detect an ASP.NET expired session?