I need to authenticate against a web page within my iOS app.
I have the user's username and password stored in the app. I can get to the page with this URL:
https:/xxxxxxxxxxxx/names.nsf?login&username=xxxxxxxx&password=xxxxxxxx3&redirectto=websiteURL/Bryan/Approve.nsf/m_approval.xsp
where of course I replace the xxxx's with the user's name and password.
However, I know this is not really secure as when I check my server I am seeing that URL with the username and password en clair. From reading and research I believe I should encode the url with Base64 and then send that. But I cannot figure out how to do that.
The code below is an attempt. I have tried changing the URL to take out the username password, but that doesn't work.
I really would appreciate help on what to do.
NSURL *url = [NSURL URLWithString:@"https://xxxxxx/"
@"names.nsf?login&username=xxxxxxxx&password="
@"xxxxxxxx3&redirectto=https://xxxxxx"
@"Bryan/Approve.nsf/m_approval.xsp"];
NSString *authStr =
[NSString stringWithFormat:@"%@:%@", @"xxxxxx", @"xxxxxxxx"];
NSData *authData = [authStr dataUsingEncoding:NSUTF8StringEncoding];
NSString *authValue =
[NSString stringWithFormat:@"Basic %@", [authData base64Encoding]];
NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:url];
[request setValue:authValue forHTTPHeaderField:@"Authorization"];
[self.webView loadRequest:request];
Two things:
1. Encoding with Base64 is just an encoding, it is not encryption and provides no security.
2. Since you are using https the connection is secure. Why do you feel you need more security.
The real security issues are how the password is secured in the app and in the server.