Android fetch url, that needs logging in
https://stackoverflow.com/questions/4286265
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I want to fetch data from the webpage, that contains some json data. The problem is, json data only returns if user is logged in on the website. If he is not, the login page is returned.
URL url = new URL(API_URL);
URLConnection conn = url.openConnection();
BufferedReader br = new BufferedReader(new InputStreamReader(conn.getInputStream)));
StringBuilder builder = new StringBuilder();
String line = "";
while ((line = br.readLine()) != null) {
builder.append(line + System.getProperty("line.separator"));
}
String result = builder.toString();
So, in result I'm expecting to have json data. But I have a login page there. I tried logging in from the browser, but it did not help.
How do I use cookies from my browser to get through this login page?
Solution
If you were using Java SE, I'd recommend that you use the Apache HttpClient library. This has support for various kinds of authentication, including form-based login with session cookies. I don't know if this is a good recommendation for Android.
EDIT
I hadn't noticed that the real issue was accessing the browser cookies.
1: Have you tried using android.wewbkit.CookieManager.getInstance() or createInstance(Context) to get hold of the browser's cookiemanager instance?
2: Is it possible to write your application (or part of it) as a webkit plugin so that it can access the cookie that way? (I don't know enough about webkit / android to know if this even makes sense.)
3: If you cannot do that, you could conceivably write your application as a web proxy and have it "steal" the cookies as they come through. (This sounds like a bad idea though. There are security and privacy issues, as well as the issue that you could interfere with normal browser functionality.)
4: Finally, there is the fallback option of writing your application to do its own login and manage its own session cookie. The snag is that you cannot avoid making your application specific to the remote website's way of doing login.
FOLLOWUP
@Daniel Trebbien's answer argues that option 1: is a not starter for security reasons. This makes sense. (If one app could get at another app's cookies, browser security would be nonexistent.)
While Android does provide a Plugin API, but it is deprecated and I've saw a posting from an Android engineer saying that its use is discouraged for 3rd party code. This pretty much makes option 2: a dead end.
Option 3: would require the user to configure his phone's Browser to use your app as a proxy ... which they probably shouldn't do.
A couple of other options to consider are:
5: Implement your application's functionality in Javascript as a NPAPI Browser plugin.
6: Use WebView to provide your application with its own (cut down) web browser. Your application will naturally have full access to its own CookieManager instance.
OTHER TIPS
If it were possible to grab arbitrary cookies from the Browser app or download data through the Browser, then I would be very concerned because these would be critical security flaws. Imagine that someone is logged into BankOfAmerica.com and an app is able to inspect the bankofamerica.com session cookie or download bankofamerica.com pages through the Browser. In either case, the app would be able to perform online banking actions as the logged-in individual!
The simple answer is that your app needs to ask for the user's login information. You then use HttpClient with your own cookie store to sign the user in.
