Now I have a web server written with php. And there some php script files for database accessing. I'm writing a Qt app to send get/post request to the remote php scripts. However, it's not convenient to verify user identity for each request. So, I want to use session control on the web server. But I don't know how to do in Qt application.
As Orangepill and PLB said, the solution is Passing cookies to the request url, you may refer to QNetworkAccessManager::setCookieJar.
Steps
Instantiate the QNetworkAccessManager object and call setCookieJar for it.
Send POST request to the authenticate page which activates a session. Then you will have cookies got from the page in the cookieJar.
Send requests to the pages under the domain will with the session alive.
Related
I want use POST to Transfer data between PHP server and Android client, how to improve security? For example, how can you ensure that believable and successful access to the server API can only be my Android client?
because of app have Login mechanism, so I think I should add the account verification code in every post(It consists of user password and so on, may be encrypted by MD5), Then every POST have clear sources, if the source is invalid(don't have verification code or it's wrong), Server denial of service. Is this feasible?
I would recommend setting up a RESTful web service first of all. This would allow you to filter requests coming from the Android client by their method, for example only handing POST for certain end points.
If you knew that only an Android client would be accessing your server you could also enforce that a "client" or "auth" token (simply a JSON property) must be sent with every request and you would then only supply this token to the Android client implementation and refuse any attempt to access your server which didn't include the token.
It's also important not to access superglobals such as $_POST in PHP directly, instead use filter_input().
This is just a suggestion and there is much more you can do.
My application has a PHP server and a client (a JS single-page app). They are separate projects and deployed in different domains. The client consumes a RESTful API exposed by the server.
This application is to be integrated with a third party which handles authentication, so users cannot login directly. Our server just receives an SSO token (which comes appropriately signed so that we verify its integrity).
We also enforce security at the transport layer for all requests.
What I'd like to do is, once the SSO token is verified, start a session of my own and then redirect the user to the client. I thought that once the session was created the browser would automatically send the right Cookie header in the asynchronous API calls, but it doesn't seem to be the case.
Is this deliberately disabled due to security reasons?
You must set withCredentials to true for cross-origin XHR requests to include cookies.
The CORS response must also say Access-Control-Allow-Credentials: true (which is why widthCredentials defaults to false).
I thought that once the session was created the browser would automatically send the right Cookie header in the asynchronous API calls
Not for cross-domain requests for CORS-enabled ressources (which seems to be the case here, if I understand your described setup correctly.)
To make that happen, you need to set the withCredentials flag.
I'm making an online user account system for a game being created in Unity3d. The Unity application sends WWW requests to php files, and as a result some action is performed and the application gets feedback.
However, I've noticed that this method allows any application to send these requests. Can this be avoided? Is my method of communication between the client and the server flawed?
How can I make it so that only my application can send these requests?
Look up session key (or sesskey).
Basically it's a random string generated on the server and is valid as long as the session is active. This session key is sent to the client side and is one of the values in any server call. Each time the server compares the string to the one it has.
whenever the user logs out the session key is destroyed and a call from any third party application using the last sesskey will be denied.
I've a basic web service written in Delphi. This web service is receiving POST requests with JSON via PHP Curl Library from Phil used on Codeigniter.
The server returns the data according to the request.
On the first request i send my authentication and i get the respective JSON.
On the second request the server identifies a different session.
You need to set CURLOPT_COOKIEFILE so that cURL saves its cookies into a file. The reason you are losing your session is because cURL is not persisting your session cookie across all of your requests.
So, for Code Igniter it would be something like this:
$this->curl->option(CURLOPT_COOKIEFILE,'saved_cookies.txt');
What is the best way to write an android application that logs into a server? I am thinking I do not want to maintain a socket, so I think I want to avoid that, I think I want to use the http protocol. My question with that is, on the server side, ideally I would like to use PHP to handle the GET/POST calls from the android app, but I don't know how to return (using PHP) information that my app can handle and not just an html file.
So for example, the facebook app for android. When you first download the app, you login and then the app maintains your connection, but obviously the app is not another web browser, but a regular app that presents its information as if it were a web site. How does the app pass the session cookie so that the PHP $_SESSION variables maintain themselves? How does the android app handle the data that comes back?
If I send a get requestion to htt://www.test.php can the PHP code that executes on the server return a custom set of data? Will the $_SESSION variables be automatically maintainted?
Thank you
You can send a get/post request to log on the server. The PHP page can return JSON or XML. Then your Java (Android) code will have to parse that response.
You can have the PHP page log first, and then start a session. Maybe generate a token key and store this in the database, and then return this to the android app. Android app will get this token (after parsing), and probably save it in a preferences file. This approach is basically a custom session. You will have to figure out things like expiration of token, etc.
There might be a way to store PHP sessions, but not sure how an app behaves differently from a browser. I think sessions can be little bit more complicated with apps.
More discussion here: php session destroyed in android application
You just need to create Server Side API which receives and sends data back to Client. Server start session, when API is requested, and Client receives PHPSESSID which is used to keep session opened. On Client, you use cookie for sessions.
Read about sessions: PHP Sessions (simple) and Session Handling (comprehensive)