Currently I am doing a project which runs both on Zend Framework (For Web site) and phone gap (For Mobile). I need to use the same code for website and web service for mobile.
Now I am facing the below mentioned issue,
The web service which I am calling from phone gap is to create the session and the session was created successfully. Now i am calling the another web service to get the user details based on session id. But the details are not displaying, because the session id is giving empty. So can you please suggest how can i proceed with this?
Thanks in advance
Session is not shareable. Try saving session id to database (or file) and than read it from server side.
Can you please give more information about how sessions are managed?
From the look of it, you might need to to use both $_SESSION and potentially an implementation of the SessionClassHandler interface to store sessions in a central database.
Also you might have issues with cookies, so you might need to pass the session id via URL. But this is very insecure so if this is the case, make sure that you at least use https or put oher mecanisms in place.
I hope this helps
Related
I am working on a site that has a login API. So when people login on my site, they will automatically be logged in to other sites.
Is their way by which a session can be setup so that other websites can use it? If not, is their any other solution?
One way - you can store your session values in database, and can use in other sites. :)
Example:-
let suppose if my site is deployed on multiple servers and end user might be redirected to different servers accordingly to traffic, then it would be good to save the session values in db.
Yes. It's possible using in example Redis for the session storage. You should look for configuring php sessions to use custom storage. Here is php man for this http://php.net/session.customhandler
What you want to do is probably using a cookie that is spread over your whole domain. This cookie can then be linked to a session. I'm currently working on something like this on Symfony2.
As example:
login.mydomain.com
application.mydomain.com
etc.mydomain.com
login.* will obviously contain my login logic + forms etc. This will also contain an API which the other applications can verify the cookie to. My Application will first check if the user is logged in. If not, it will check if it has the required cookie. If it does not, it will redirect to the login.* login page.
If it does have the cookie, it will validate this in my login.* API. Expired > redirect to the login page, if not it will return the required info of that user and "login" to my application.
The only problem I have at the moment is storing the session. I use mcrypt to encrypt the contents and store it in mysql (cookie_id, cookie_contents). I have but 1 problem, it doesn't automatically purge the expired sessions, I still have to find a solution for this.
What you are basically looking for is Single Sign-On (just a guess, but I think accurate).
I’m adding a notification to my website about a new feature that has been implemented. The notification is near the top of the website, in an eye-catching place to get people’s attention. Using jQuery, I wrote a small function that hides the notification when the user chooses to. If the user chooses to hide the notification, I want it to be hidden permanently for the remainder of the visit and on future visits to the website.
What would be the best way to make sure that when they return to the website later on, the notification is hidden? I thought about sending an AJAX request that creates a cookie when the user initially hides it, then checking for the cookie when the page loads, but I’m not sure if that’s the best way to do it. I don’t want to hide it based on IP address because I’m afraid that two users on the same network but different computers might access the website, and one will miss it, but maybe I’m being too paranoid. Any ideas on the best way to do this?
Why not just create/read the cookie with javascript?
I would suggest using javascript to set/read the cookie as well. Since you're already using jQuery I would suggest the jquery.cookie plugin. The only reason for doing an AJAX request to save the user's preference is if your user is logged into the site and you want to store their preference in a database or some other persistent storage so that whenever they are logged in they don't see the message about your new feature.
If the server does not need to be aware of the value of the cookie I would suggest you use localStorage instead.
localStorage exists on the client and does not get sent with the $_COOKIES header to the server.
More can be read about localStorage here
And even more can be read as per why you would want localStorage over cookies for client side data here Local Storage vs Cookies
I am creating a setup, where I have multiple drupal websites running. I am working on a single sign on, but I want to check if the calls to my websites are made from the same person. Is there like a browser cookie or something with which I can identify a user ?
It's like a session identifier but across multiple websites.
Does anyone know what I can use for this ?
Thanks in advance
If you are tying to do single sign on with Drupal I recommend looking at the bakery module. You may find that what you are looking for has already been implemented.
You could use the Login Cookie module to set your own cookie
I fixed it, by doing a redirect to one single website, which gives me an encrypted version of your session ID and then redirects you back to the website where you came from, where that key is stored in the local session of the SESSION
Have you tried to use PHPs standard session functions?
I mean you can login both https://mail.google.com/ and https://mail.google.com/a/company.com at the same time.
The projects I've attended so far haven't involved such kind of logic,how can these two url under the same domain use different $_SESSION?
I think there is not inbuilt session management feature in PHP.
You can use variable specific management in session.
for eg.
one login from https://mail.google.com/ then store all it's session data in $_SESSION['gmail'][X] , $_SESSION['gmail'][Y],$_SESSION['gmail'][Z]
and then in when another user login from https://mail.google.cpm/a/company.com then store all it's session data in $_SESSION['company'][X],$_SESSION['company'][Y],$_SESSION['company'][Z]
so by this, you can separate those two sessions from each other.
Those two URLs share the same domain. Only the subfolders are different. Usually with PHP, the cookie which saves the session id is valid for the whole domain and not only a specific subfolder. So there should be no problem using the session data with the same domain.
Maulik Vora's answer will work, but another way to do it is to configure PHP to used URL-based session ID passing. That way every tab or window has a separate session. See this page for information on how to do it, and why you may or may not want to. Here's the docs for it.
Say I have an ASP.NET webpage and I also have a PHP Blog/BBS/Website. I want all logins to be done via the ASP.NET webpage. The ASP.NET Session State is stored in SQL. Is there any way I can read/decode the Session State from PHP to tell if a user is logged on if I have the Session State cookie?
I don't think there's a supported way. You could reverse-engineer the store, but the database format may change with next .NET service pack and youe a'd be screwed then.
The only safe way would be to implement your own session state provider so you could guarantee that the database format doesn't change.
If all you need is to verify that the user is authenticated, it would be probably easier to send the user an encrypted cookie with the username and decrypt it in the PHP app.
I have never tried this but if you provided a simple web service that is part of your asp.net application but only accessable from your PHP site. You should now be able to read anything that is in session via the web serivce.
this is looks tricky, but try reading here. the issue here is know the way in what asp encodes and save the session, if you can read that format, this may help.
another way I'm thinking is to create a request to some "login" page form asp to php, where you send the login credentials and the php file creates the session, but this could be not secure if you leave it open, and also could be slow, since another request is necessary.
on the other hand I saw few sites, where once you are logged in, for example in the main site and you want to go to the forums, you click on some link that submit a form to the php login page (credentials are "harcoded" for that user in that session) and the php page login you like the "regular" behavior.
hope to be clear
Unless you specifically need full access to the entire asp.net session state, you may be better off just storing the particular pieces of information that you know both apps need to share in a shared database or file directly.
That way you can ignore most of the complexities of an asp.net session and just pick and choose the specific pieces data your apps need share with each other.