[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Inject Authorization Header into WebView on Mobile

I appreciate the responses fellas.  Olaf, sadly on mobile, even if you did
use HTTPLoader to upload an authorization header, I don't believe there is
anyway to display what is returned in a mobile WebView like StageWebView. 
But I certainly appreciate the idea. The ANE that I purchased only seems to
load HTML from a given URL.

Erik, your idea sounds very intriguing to me, but I am so inexperienced in
PHP and web development that I am not sure that I completely understand, so
you may have to tell it to me like a child ;)  Here is what I think that you
are telling me:

1. Use HTTPLoader to create an Authorization Header and access a PHP file
that I can use to make sure a user is authorized on my server, and in the
return response, send back a URL to the actual page that I want to view.

2. Use the returned URL to load the page into StageWebView.

Although this sounds like a fantastic idea to me on the surface, I don't
understand how it would be secure.  The page I want to display in my mobile
app is what needs to be secure, but it also needs to be in a publicly
available folder so that my users can access it.  But I don't want anybody
with a browser to be able to just browse to the public file and display its
contents.  So basically, I have a public file that I want my mobile users to
be able to access, but I don't want anybody outside of the app to be able to
access it.  Thus the idea for Basic Authentication.

My basic understanding of Apache is that my PHP file needs to be in a
publicly accessible folder to be served by Apache, so even if I did use
HTTPLoader to send a header to authenticate users and then return a URL to
load the content, that content would be sitting right there in a public
folder for anybody to browse to anyway.  Unless of course, there is a way in
Apache to serve up content from a non-public folder that I am completely
unfamiliar with.  I guess my question is, how do I hide the actual critical
page from the public and get a URL to its location?

I know I am missing something.  I apologize for my inexperience in this

Sent from: