this post was submitted on 19 Jul 2023
1311 points (96.8% liked)

Reddit

13639 readers
2 users here now

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] rarely@sh.itjust.works 0 points 1 year ago (1 children)

I don't know but what I do know is without sending cookies, the server won't know it's you. If you login to reddit on the app, cookies are saved so you can login again the next time you load the app.

[–] static_motion@programming.dev 3 points 1 year ago (1 children)

They probably meant the in-app browser for browsing external links from Reddit.

[–] rarely@sh.itjust.works 0 points 1 year ago (1 children)

Ok so if application xyz has a browser, assuming that browser isn't just an embedded copy of a system browser (something that I am not sure is possible with android or ios development, i am just a web dev), it won't know your reddit cookies unless you gave it. Or, more correctly, it may save your cookies for every site you visit, but that's just normal browser behavior. If you visit reddit, your cookies are saved but if you didn't login the cookies just identify you as a unique but otherwise unknown user. If you login, then your cookies are saved if you load up the in-app browser again and find that you are still logged into reddit.

The only time where you could expect to be logged into reddit already via an in-app browser which you didn't log in with previously is if that in-app browser is just an embedded system web browser where you are logged in.

[–] hangonasecond@lemmy.world 1 points 1 year ago (1 children)

Nope, still not what they're talking about. They're saying, if you follow a post link to, say, www.example.com, and the app you're using shows you the page in app (usually using system default browser) rather than taking you out to your browser app. The question is, if example.com asks for permission to use cookies will they stay in your browser or will they be cleared when you leave the page or close the app.

[–] rarely@sh.itjust.works 2 points 1 year ago* (last edited 1 year ago)

The browser stores the cookies, so if it is a system browser then the system browser stores the cookies even if embedded in the app. It also means that the app isn't likely aware of those cookies as it's part of a separate app.

Also, generally speaking, few developers want to build their own browser. It is far easier to just ask the OS to put a browser in a space provided by the app, than to build a browser that works well to be used on the greater internet and the actual app itself. I say this because "the browser stores the cookies" so if app xyz doesn't use a system browser then app xyz is the browser. Like, any app can ask you for your reddit username and password, store that, make HTTP calls that login with your username and password, parse the HTML it gets from reddit, and report it back to you. This is essentially how lemmy apps work at a high level with one big difference: these apps and the server are both aware of each other, which is the same sort of situation where a company like google or reddit gives API access as a sort of contract between how the apps and servers with better security and full consent of all involved.

Basically if you see reddit apps pop up which don't use the official API, you should be wary. Doubtful they would make it onto the app stores but it's always possible. It doesn't mean they are nefarious, just that they could be.

The good news is it's pretty easy to tell what you are using.

Logged into example.com somewhere on your device, then you open a freshly installed app, click a link to example.com and you are already logged in? System browser.

Logged into example.com somewhere on your device, then you open a freshly installed app, click a link to example.com and you aren't logged in? This could be another browser if you have more than one installed on your device. So the ask.. does it look and function like shit? This isn't a great test but again, building a browser that actually renders html css and js is difficult, so it's likely to not work or look very well if it's something built with the purpose of stealing data specifically.