How to open URL in Safari with preset cookies or headers in iOS?

Question

In my application, I have a screen where user clicks different types of files to view and download them. However this screen is only accessible after user is logged in through web site.

I launch the Safari browser with my URL by using this method:

UIApplication.sharedApplication().openURL(NSURL(string: url)!)

However, the user is being redirected to login screen because he is not authorized to use the website yet.

My question is, how to pass cookies or headers to Safari and launch the URL with those?

Answer 1

Be careful with passing any secure data in the URL query as it's considered to be a security risk.

Some reasons are:

1. URLs are stored in web server logs
2. URLs are stored in the browser history
3. URLs are passed in Referrer headers

Reference: https://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/

I know it's not what you are looking for, but more secure solution would be to use session level cookies together with WKWebView. Check this SO answer for more information https://stackoverflow.com/a/26577303/14009088

Answer 2

You can't do that directly. openURL does just that, no more.

You need to pass required credentials in the URL. The target server may read them from the URL and then set desired cookies in the response.

If you implement that, make sure it can't be abused to set arbitrary cookies or perform session fixation attack. One way to implement that securely is to use one-time identifiers:

1. In the iOS app contact the server using a valid auth cookie and ask for a one-time long random key, which the server needs to store for a while.
2. Redirect user to URL with ?key=<that one-time key>
3. Make the server verify that the key matches and set cookies for the user, and delete the key.