If a session id is stored can it be used to alter session data such as an array variable?
I am working on a project for a login system in PHP where the login authentication comes from an out-of-band source (mobile app or browser extension).
The browser page will use JavaScript to continuously request the login state from the server. The user will scan a QR Code on the page for example, and their phone will post their authentication by API to the server.
I would then like to alter the $_SESSION data associated with the session on the page that was issued with that specific QR Code. I can know the session id which issued that specific QR Code which data was returned by the mobile QR Code scan, but can I use the session id to modify the session data, so as to set the SESSION state to logged in?
I have looked through the PHP manual for a function that would allow this to modify another session but didn't find anything. (https://www.php.net/manual/en/ref.session.php)
in view set textbox value with $_SESSION id,
and when action, update data SESSION with id to database.
What you do is you set your session_id to the id data you want to edit then change the session values.
session_id('the id you have');
session_start();
$_SESSION['anydata'] = 'whatever you want';
Related
I am building a web application that will host multiple users. I have a login module which takes in the users email, password and remember me. That data is passed to login.php which checks for errors and if no errors calls the login_user function. The login_user function checks to see if the user's creds are correct and if so sets the row data to each SESSION Example:($_SESSION['first_name'] = $row['first_name'];). Now, the problem is when I'm logged in as user 1 and then open up a new window and login as user 2 and I go back to user 1's window and refresh the page I now have user 2 profile_pic for user 1. The $_SESSION data e.g: profile_pic is being read from a central file called loggedinuser.php which does 2 things: 1 checks to see if the user has logged in and 2 if so echo the session in json format. This is where I believe the problem is because the data is coming back correctly but each time the user logs in it reinitializes the session data to the last user who logged in. I have tried to using $_COOKIE to store the data but I get the same results. I tried using session_regenerate_id but get the same results. Prior to building the application I was under the impression that PHP takes care of unique sessions for each user. So my question is how do I set up my SESSIONS so that it returns the correct data that corresponds to each user login? Note I'm using JQuery to fetch the data from loggedinuser.php All help is appreciated.
A PHP session it's a browser session. If you open the same login page on the same browser it will use the same session.
If you try a different browser you'll get different sessions. You can also try a new browser window in private/incognito mode.
There's no error at all in what you're describing.
I need to store data in a session and make it available for other users.
I thought about to store that data in an Session, generate a random Link, which user 1 can send to user 2. The Session should expire after 3 Month.
The session name is the random code I generate which is simluar to the code I send with POST to receive it on the Secretlink with $_GET.
Is this working in general or am I on the wrong track?
Can I store a Session even when the user 1 left the website or will the session be terminated?
I also need to set the session via jQuery, but I couldn't find anything about expiration time of a session.
I already did it with a cookie, but of course that's not working with user 2.
Sessions are actually files, stored on the server. PHP sets a cookie with the session id, named PHPSESSID. You can also use the PHPSESSID GET parameter, but you would have to change that in the server's PHP settings. Using the GET parameter, you could pass that link to another visitor to let him use the session. You would also have to extend the session expiration time.
However, I wouldn't recommend sharing sessions with GET parameters. It could be a security risk when you are storing personal data in those sessions. I recommend that you write a small script that stores data in a database and that can be accessed (for reading and writing) by requesting an url or any url with a special GET or POST parameter.
One last thing, sessions are never accessible from jQuery directly. You would have to write a small script that requests data on your server via AJAX.
I have websiteA and websiteB. websiteB is coded in PHP+MYSQL.
Both websites use jquery.
Everything works like this: the user logs in on websiteA and after this happens I want to log him automatically to websiteB, so that if he goes to websiteB in a new tab, he is already logged in there and will not have to manually login.
I have access to both websites, but they are located on different servers.
Right now, once the user logs in on websiteA, I am sending a request to websiteB using jquery post, containing the encrypted username+password.
The login form works fine on websiteB, but there seems to be a problem with the sessions. The user is not logged in on websiteB even if the data was sent correctly and the login form works fine.
So I tried to do this:
1.user logs in on websiteA.
2.send request to websiteB and retrieve the session_id, using jquery post. We'll call the session id "sess1";
3.then I sent the username+password+session_id(sess1) to websiteB
Now websiteB has the session data and when I try to do the login on websiteB, I also try to set a custom session_id, based on the data previously retrieved.
So I use this code on websiteB:
<?php
session_id($_POST['session_id']);
session_start();
?>
If I keep sending POST requests to retrieve the session_id from websiteA to websiteB, the session_id is the original one(sess1), which is correct. Now if I open websiteB in a new browser page, the session_id is different. Like if I ran two different sessions on same browser.
This is probably because websiteB considers the data incoming from websiteB as being a client, and then when I open websiteB it treats it as another client.
So the question is, how can I mirror a login usign jquery or curl?
The only way right now seems to be to open a popup window containing the login data for websiteB as parameters.
I am assuming that both websites share access to the same database.
If so, I would suggest adding a column to the users table that will be used as a single-use login key. Also, another column for expiration time of that key (unless you keep track of last-login times).
User Logs into ws1
ws1 validates credentials
if credentials are valid generate random key and update appropriate table columns (tempkey value and expiration)
Page is rendered with javascript/jquery set to send a request to ws2(http://ws2.com/login.jsp?tempkey=[...])
ws2's login.jsp sees the tempkey and initiates a secondary login method
Secondary login on ws2 searches for the key in the users table and begins a new session for the user, bypassing normal login procedures.
ws2 sends the cookie for the session on ws2 back to the user through the jquery connection on ws1's page
In this case, there would be a different session_id for each site. I don't know if you're trying to share session data beyond just the user's identity. That would require some more technical knowledge to give a more thorough answer but the premise would be similar.
Hope that helps,
fie
I have a problem that when a person logs in then he should be restricted to only one IP address. He should not be able to login through different machine at the same time so is there any way to maintain session without using session cookie and without using session id in URL?
yes, by writing session in database. Apart for usual session data (id, and user data) you write and user_ip. So, while session is active you can restrict user access from another ip/machine or even browser (if you set your session uniqueness to be IP and browser headers - user agnet )
Please check link bellow, on how to extend session handler and save/read to/from database (and hence not using cookies)
set session in database in php
and this
PHP user authentication using database and ip address?
You can create a database table that gets updated with a session ID when the user logs in and removed when they logout. At login, you can check the database to make sure there isn't an active session in the DB.
So I currently store a token and user ID whenever a user logs in. The token is stored in the user table and in a COOKIE.
So user 1 logs in and the following details is stored in a COOKIE and database on his
computer:
id
randomly generated token
whenever he logs in a different token is generated.
To authenticate the user, everytime he accesses my site, I check to see if the token matches with that stored in the database for the specific cookie.
But the problem is that constantly checking the database is a waste of resources but how do we make sure that user is who they say they are? I can't just store his ID in a cookie because he could easily change the ID and get access to another user's information.
thanks!
Could you use a $_SESSION variable such as: $_SESSION['id'] = $randomstring;
Then at the top of each page check if the variable is set:
<?php if(isset($_SESSION['id'])) $loggedin;
else $logout;
?>
Use session_start() which handles the logistics of checking the cookie and validating that the data is actually for that user's session.
You have to start the session before you can use $_SESSION but that's one way to store session data.
http://php.net/manual/en/function.session-start.php