Is PHP able to maintain a session with devices that aren't using a browser to communicate with the server? I know that any application is capable of adhering to the HTTP protocol, but for languages like Actionscript3 and Java that consist of HTTP request classes in their frameworks, do they send the necessary parameters for PHP to hold a session like it does with a browser?
Any HTTP client library can support cookies (which is how PHP maintains session token state across requests by default). Some will handle cookies automatically, some will require it to be turned on in a preference, some will just provide an API to access the headers (which include the cookies).
Related
My application has a PHP server and a client (a JS single-page app). They are separate projects and deployed in different domains. The client consumes a RESTful API exposed by the server.
This application is to be integrated with a third party which handles authentication, so users cannot login directly. Our server just receives an SSO token (which comes appropriately signed so that we verify its integrity).
We also enforce security at the transport layer for all requests.
What I'd like to do is, once the SSO token is verified, start a session of my own and then redirect the user to the client. I thought that once the session was created the browser would automatically send the right Cookie header in the asynchronous API calls, but it doesn't seem to be the case.
Is this deliberately disabled due to security reasons?
You must set withCredentials to true for cross-origin XHR requests to include cookies.
The CORS response must also say Access-Control-Allow-Credentials: true (which is why widthCredentials defaults to false).
I thought that once the session was created the browser would automatically send the right Cookie header in the asynchronous API calls
Not for cross-domain requests for CORS-enabled ressources (which seems to be the case here, if I understand your described setup correctly.)
To make that happen, you need to set the withCredentials flag.
When it comes to building my web applications, I know HTTP 2 is going to be recommended for all traffic coming to the site. I understand the security concerns and the reason why it is recommended/forced to be used now.
When it comes the web-based languages I code in and understand such as Ruby, PHP, and Perl.
Is there any special functions that I will have to do to produce a secure connection to my server or all do we need to do is redirect all traffic to https:// over http://?
Basically, my autoloading class in PHP would load all classes and functions for my web application to operate. Would I need to create a SSL.class.php for allowing the connection to be secure within my PHP?
The changes in HTTP/2.0 over HTTP/1.1 are mostly relevant if your application streams large amounts of data to many simultaneous users.
Is there any special functions that I will have to do to produce a secure connection to my server or all do we need to do is redirect all traffic to https:// over http://?
No. HTTP/2.0 does not require TLS. If you want TLS (which, personally, I encourage), you still need to send clients to https://.
Basically, my autoloading class in PHP would load all classes and functions for my web application to operate. Would I need to create a SSL.class.php for allowing the connection to be secure within my PHP?
In most cases, the HTTP layer is a webserver problem, not a PHP-land application code problem.
If you are working on a framework that insists on parsing request headers and managing responses in a very HTTP-like fashion, then yes, you probably need to be aware of some of the changes in the new version of the protocol.
Differences Between HTTP/1.1 and HTTP/2.0 for Developers
Servers can push more data over an established connection in HTTP/2.0. This is really neat if you need to push real-time notifications (e.g. what StackOverflow does).
Better multiplexing and streaming; it's now possible to stream multiple resources over the same HTTP connection.
Source
Unless your application is keenly aware of networking protocols, it shouldn't matter much for our day-to-day CRUD interfaces.
How can I use cookies in non-browser clients (e.g Php - Android) in order to maintain session and other information.
My site is working based on cookies to maintain state,
Now when I am writing web services for mobile application, found out that the site is treating each API call as if they are coming from unique user, since cookies are absent.
How can I use cookies between PHP(Web service) and android application?
If you want to maintain seesion vars you have to persist the PHP-SESSIONID cookie on each call to your web service as long as you want to keep this session alive.
And also the other cookies should be set and sent manually on each request or using the CookieHandler.
Now I have a web server written with php. And there some php script files for database accessing. I'm writing a Qt app to send get/post request to the remote php scripts. However, it's not convenient to verify user identity for each request. So, I want to use session control on the web server. But I don't know how to do in Qt application.
As Orangepill and PLB said, the solution is Passing cookies to the request url, you may refer to QNetworkAccessManager::setCookieJar.
Steps
Instantiate the QNetworkAccessManager object and call setCookieJar for it.
Send POST request to the authenticate page which activates a session. Then you will have cookies got from the page in the cookieJar.
Send requests to the pages under the domain will with the session alive.
How Facebook chat is working? Can anyone give me idea? I mean they are using websocket or AJAX? How they have implemented it?
It's a comet (see wikipedia) model:
Comet is a web application model in which a long-held HTTP request
allows a web server to push data to a browser, without the browser
explicitly requesting it. Comet is an umbrella term, encompassing
multiple techniques for achieving this interaction. All these methods
rely on features included by default in browsers, such as JavaScript,
rather than on non-default plugins. The Comet approach differs from
the original model of the web, in which a browser requests a complete
web page at a time.
Example of comet framework is APE. It is for javascript, however comet can be written not only in javascript.
The user establishes a WebSocket connection through a process known as the WebSocket handshake. This process starts with the user sending a regular HTTP request to the server. An Upgrade header is included in this request that informs the server that the user wishes to establish a WebSocket connection.
WebSocket URLs use the ws scheme. There is also wss for secure WebSocket connections which is the equivalent of HTTPS.
If the server supports the WebSocket protocol, it agrees to the upgrade and communicates this through an Upgrade header in the response.
Now that the handshake is complete the initial HTTP connection is replaced by a WebSocket connection that uses the same underlying TCP/IP connection. At this point either party can starting sending data.
With WebSockets you can transfer as much data as you like without incurring the overhead associated with traditional HTTP requests. Data is transferred through a WebSocket as messages, each of which consists of one or more frames containing the data you are sending (the payload). In order to ensure the message can be properly reconstructed when it reaches the client each frame is prefixed with 4-12 bytes of data about the payload. Using this frame-based messaging system helps to reduce the amount of non-payload data that is transferred, leading to significant reductions in latency.