Session sid cookie for mobile app

Chall · January 19, 2024, 9:57pm

I am working on my first mobile app that connects to my website backend. I’m running into an issue with getting the session sid cookie set. My login API from mobile app is calling my

<form id="login1" method="post" is="dmx-serverconnect-form" action="https://ameforesight.com/api/registration/login" dmx-on:unauthorized="notifies1.warning('Unauthorized')" dmx-on:error="notifies1.danger('Uh oh, there was an error.')" dmx-on:success="notifies1.success('Nice!')" credentials="true" site="ameforesight_web">

The mobile app is running on local server. CORS is set up fine. I get a 200 response.

Response
:status: 200
Content-Type: application/json; charset=utf-8
Access-Control-Allow-Origin: http://localhost:62846
Set-Cookie: AWSALBTG=sEXJjL5ORG1f3Uxv/rCVTIV15BAWPVd3IVFgNC+rb4SdmZHpED41z/MhKu6PEa/ucNxvYndePb9ATYIXDTPr08CkQxwfnFJxbZAcHF2/YsAuJ6+jDsClV5+uc3g/Ywb3tejmUPjOO4dUruH8/L9Q+QBII4BLSUQVzoESagiI5kR5; Expires=Fri, 26 Jan 2024 21:27:27 GMT; Path=/
Set-Cookie: AWSALBTGCORS=sEXJjL5ORG1f3Uxv/rCVTIV15BAWPVd3IVFgNC+rb4SdmZHpED41z/MhKu6PEa/ucNxvYndePb9ATYIXDTPr08CkQxwfnFJxbZAcHF2/YsAuJ6+jDsClV5+uc3g/Ywb3tejmUPjOO4dUruH8/L9Q+QBII4BLSUQVzoESagiI5kR5; Expires=Fri, 26 Jan 2024 21:27:27 GMT; Path=/; SameSite=None; Secure
Set-Cookie: ameforesight_web.sid=s%3AMA_bX9ofW9TvliKWhqR24Uz644qlakQ5.ebHsyimZGrolxSUtZpPS2JhFXINgZYWE6%2BgVmTtksrc; Path=/; HttpOnly
Via: 1.1 70e229d4eacd4f08ec9e3ff9e96d427e.cloudfront.net (CloudFront)
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Date: Fri, 19 Jan 2024 21:27:28 GMT
Access-Control-Allow-Credentials: true
Content-Length: 16
X-Content-Type-Options: nosniff
ETag: W/“10-1hdmAldvBsUj9RCnmAnVo/K8SQI”
X-Frame-Options: SAMEORIGIN
Vary: Origin, Accept-Encoding
x-amz-cf-id: 3dJaSqgMccSeVu3eUkl76EUOoL0HGKTAJik2s6fLdprFfoXTSaYA-g==
x-cache: Miss from cloudfront
x-amz-cf-pop: MCI50-P2
permissions-policy: geolocation=(*), camera=(), microphone=(), display-capture=()
Strict-Transport-Security: max-age=31536000

The problem is the session cookie doesn’t seem to get set (can’t see it in my local cookies), so it is like I am not logged in. All my other server connect tasks use Security Restrict - so I just get an unauthorized response.

How can I get the session sid cookie to set? I have tried turning off the “Secure” feature on the cookie.

Any advice would be appreciated.

franse · January 19, 2024, 10:10pm

What device are you trying and need to have it working? Both Android and iOS?
Are you using the security provider (backend) from Wappler?
Is your app redirecting after the successful login?

Try this:

Make a login page, but no redirect.
Place a server connect restricted query that returns a value with “no autoload”
On the login server connect dynamic success event → Load the restricted query and check if it’s a 200 status.

The reason I’m suggesting this is because I believe the cookies are working but you need to configure your mobile app for storing them.

I’ll be glad to help you if this is the case.

Don’t worry about that

Chall · January 19, 2024, 10:19pm

So on the second query I got a 401 response.

franse · January 19, 2024, 10:22pm

Sorry about that the message got cut: Don’t worry about that, maybe is because your backend and frontend are on different domains (Mobile apps like capacitor work with http://localhost and your backend is on your website which has another domain).

Can you post some screenshots about your setup?
Also would be nice if you post your code (you can format the code by https://community.wappler.io/t/how-to-format-code-in-your-posts/19828)

Storing cookies is very tricky, but we were working with Milo and got it running without issues on both devices.

Chall · January 19, 2024, 10:46pm

Sure, I would be happy to send you whatever you need. I was worried the different domains may be an issue. I’m not sure how to get around that? I am currently just planning on IOS with capacitor bootstrap framework at the moment (maybe android later).

Just let me know what part of setup would be helpful. I appreciate your help on this.

franse · January 19, 2024, 11:32pm

Can you post here (or dm me, no problem at all) some screenshots about:

the security provider (dont show the secret key)
the config.php located on dmxconnect folder (also dont show the secret key)
the entire code of your index.html
search the console in browser and see if it throws some errors

It will save some time, but it’s ok if you don’t want to do it.

Anyways I’ll post here (give me some time) some steps that found needed

Chall · January 20, 2024, 12:08am

Thanks, yes I will work on sending that info over.

It seems like the backend is sending the sid cookie to be set, it just isn’t being set on the mobile app.

And then when I make the second query - the sid cookie is not being sent with the api call (or any cookies for that matter).

franse · January 20, 2024, 12:11am

Don’t worry, the cookies are fine, they’re set, just not stored, please check the console if you see something when you login.

Go to chrome, and before anything, f12, go to console, click on preserve log, reload, and then login like you usually do

Chall · January 20, 2024, 12:20am

I didn’t see anything except for the 401 for the second query. Yes, I agree, not being stored.

franse · January 20, 2024, 9:06pm

Please see

Chall · January 21, 2024, 4:02pm

Thank you! This looks promising! I will try and implement this and let you know how it goes. I really appreciate your help. I would never figure this out on my own.