Make multiple AJAX request using the same session - php

I have a REST webservice that returns an hash value based on the current http session. If I open the webservice page using a browser, I will see the same value refreshing the page or opening the page in multiple tab. This is the expected behavior because I'm using the same session on multiple request. If I do an AJAX request using the $http service of AngularJS, I obtain a different value each time. It seems that each request uses a different session. I need to obtain the same behavior like the browser request, multiple request that sharing the same session. Is it possible?
More info about server environment:
The server side REST webservice is powered by Laravel 4.2, there is a simple RESTful controller that return the hash code using this function:
public function getCsrf () {
return Response::json(array('csrf' => csrf_token()));
}
if I browse the webservice page using my browser I obtain always the same result (i.e. http://myservice.page/rest/csrf), If I do the same thing using ajax I obtain always different results.

I would do it on the server side: cache the hash value. If an ajax request comes in, I would determine if it is already associated with a map of session/hash value. return it if it exists.
You can also put the hash value in sessionSorage, and do some checking logic in angular httpInterceptor, but this is more fragile than backend

Related

Checking script caller

I wrote a API for a system. It is a PHP file, which is called with some parameters. It is called like this: "https://abcdefg.de/api/api.php?test=test". This script returns sensitive data when it is called. To make sure only the right api users get the information the parameters has to contain correct credentials.
To make the api more secure the idea was to check in addition who is calling the script. For example only the website "https://test.de" should be able to call the api script. But how to achieve this in PHP? How to check what is the url of the "caller"?
I already tried $_SERVER['HTTP_REFERER']; but I read that it can be easily manipulated and in our case it returns always null, because we use https instead of http.
Is there a solution to our problem?
Thanks in advance,
Filip.
HTTP_REFERER will not be working in real with API, it's related to the form submitted from another page or website, in case this is the situation this is called cross-site request forgery, the solution here is to create a token in every rendered form and send it with the submitted data, from the backend, you will validate this token (most of the time is saved in the sessions), you can check it

session id is changing after every request

I have a php backend for API's and I am using Angular5 for my frontend. I was wondering, how can I handle sessions on Angular? I tried reading the documentation and was unable to come up with anything.
After login if I am making any request it is creating different session id?
for the frontend, if you want to access the values from the browser and send it to sever as well try storing the values in local storage which are very simple to set as well as to get in angular.
just you need to write is
localStorage.setItem('yourstoragename', JSON.stringify({ token: token, name: name }));
to access this you can write as
var name = JSON.parse(localStorage.getItem('yourstoragename'));
console.log(name);
Session data is something handled by the server-side, and the client (Angular in your case) is not able to read it.
The client (Browser for example) can get the session_id, and store additional information to be kept (Not secured information, as you can see all cookies's data with DevTools for example).
In most cases, after post of the login, the server will give you a token that you can use with later requests, so on your side you have to keep that token, and use it with the following requests to the PHP Server.
Refs:
https://coderwall.com/p/8wrxfw/goodbye-php-sessions-hello-json-web-tokens
I was able to use $_SESSION in my PHP to handle user login with ionic-angular-3.9.2. Using {withCredentials: true} in the Angular HttpClient requests was the part I had a hard time finding. I posted a detailed answer in my reply to this question (other solutions are there also):Why session PHP can’t be used with Ionic?

consuming two consequence Rest web serivce using PHP, curl or file_get_contents?

I need to first use webservice to login and then set the cookie in browser, then call another webservice and get some user specific data.
When I paste rest webservice on browser (first logging, then another one to get user specific data) it works fine.
But if I call those two web services using php (used twice) with
file_get_contents("url to login");
$Userdata=file_get_contents("url to get user specific data");
it seems $Userdata has no data, as if previous line file_get_contents("url to login");
has not been executed.
Any idea how to do this?
You can send cookie with get_file_contents via stream context (see PHP - Send cookie with file_get_contents) but if you want to use the cookie to log in, you have to somehow grab the cookie set by first request. It could be easier to use cURL. There is other question with accepted answer to describe this with cURL: file_get_contents receive cookies

Reading cookies with PHP

I am trying to read a cookie which I've set with javascript, jQuery Cookie Plugin specifically, and then after that I'm reading it with PHP to write it into a database.
For some reason the cookie is being created on page load, but doesn't "exist" until the page is refreshed. Which means that I'm pumping blank fields into my database tables.
The only way I can think of doing it is to AJAX out to a script which creates the cookie. Or ajax out to a script which returns the data to me in json.
The use case is that I'm creating a simple analytics class for an internal project, and I'd like to write into the database the users resolution, colour depth and all that jazz, which I'm using screen.width etc to get.
Cookie data are sent to the server (and forwarded to the PHP interpreter) when the client performs the request. Therefore, a cookie set by JavaScript on the client after the page has been requested from the server will not be transmitted until the next request to same server.
What you'll have to do is to perform some kind of request (could be done via AJAX) where a PHP script handles the incoming cookie information and stores it in the DB.
#jensgram is right. These two scenarios can happen:
User requests your page and (s)he hasn't the cookie. You render the response via PHP, but you can't see the cookie at server. Response gets delivered to the browser and on DOMReady (or events like that) you set the cookie. User sends another request (via interaction with your page). Here you have the cookie at server.
User already has the cookie (coming back to your site) and sends a request. You render the response via PHP, but this time, cookie is available in first shot. The rest is the same.
Two suggestions:
To prevent inserting null (or empty) values into your DB, first check to see if cookie exists or not. If not, simply try to set it.
For implementing Analytics, predefined patterns exist. For example, instead of setting a cookie, you can include your script on every page, and on load of each page, you can get the information you need, and send an asynchronous ajax request to your Analytics Collector PHP file. No need for cookie :)

Securing GET call

I have a file, caller.php, which takes a GET URI that specifies a value to search the database for. The data is then returned in JSON format using php.
I want to protect caller.php so that it is only accessible from another page, get.php, using an AJAX call.
What is the best way to go about this?
I want to protect caller.php so that it is only accessible from another page, get.php, using an AJAX call.
You can't. An AJAX call can be easily faked, as can its origin.
There is no reliable way for you on server side to tell whether a call is an Ajax one or not, nor where it came from.
You need to secure your Ajax resource the same way you would secure a normal page - e.g. through an authorization system like a user login, etcetera.
Without such an authorization system in place, you have to assume that everyone can access the URL.
You could check the session to see if the call is authorized or not. AJAX requests will send you the PHP session cookie. This assumes that caller.php is secured by some kind of user login system that uses sessions

Categories