How login works in Canvas

The Canvas platform makes use of a mix between Cookies and Headers to identify a proper user login in the apps.

Below you will find more details on how that approach works in a more technical perspective.

In order to enable the login functionality in your app you will first need to adjust two parameters, located in the “General” group of settings of your app:

  • Remote_Server_Available: this parameter needs to be set to “true” if you want to enable the native login handling in the app. It will basically tell the app to look for the proper headers when it starts and in all subsequent requests.
  • Remote_Server_URL: this parameter will determine which URL should be used for a quick check when the app starts, looking for the login headers. We recommend using a fast loading URL. If you are on WordPress make sure to use the /canvas-api/loginstate endpoint as it will only output the information we need.

Now that you have configured the app to use the native login here is what will happen when you first open the app:

  1. The app will perform a request to the URL defined in the “Remote_Server_URL”, looking for the “ml_available” and “ml_username” parameters, if the user is logged-in those parameters should be set in the form of headers as you can see below:
  2. The app will check both parameters but will look for the ml_username to determine whether the user should be logged in or not. If ml_username is set as a header the app will understand that the user is logged in and will bypass the login screen.
  3. If ml_available is set as a header but ml_username is not, the app will understand that the user is not logged in and will present the login screen to him.

There are a few things to keep in mind:

  • ml_available should always be set as a header and its value should always be true, no matter if the user is logged in or not
  • ml_username should only be set as a header when the user is logged-in
  • The value for ml_username will be stored in OneSignal, so it can be used to target specific users for push notifications. If you are using WordPress its value will be a hashed user id, if you are not on WordPress we’d recommend using a similar solution.
  • Cookies and sessions should be handled by the website to avoid conflicts where the ml_username header is set but the user is not logged in, if you are on WordPress this will be automatically handled by the MobiLoud Canvas plugin
  • The apps will not perform any specific checks to your website’s cookies