Basically I have a form in my android app that lets the user enter his/her username and password and then this is POSTED to a very simple login page made in PHP online. I then need to access a second pae which pulls down data from an xml file - in order to access this page the user must be logged in. The xml page that the user sees is dependent of their username.
On my login page I have
session_start();
session_register("username");
At the beginning of each page that checks login I have
<?php
session_start();
?>
and to check if the user is logged in I use a simple if statement
if(!session_is_registered("username")){?>
display whatever
else bla
How can I make this work in my android application? I am unable to go to the xml page after I have logged in because it does not recognise me as being logged in.
Firstly, perform the login using a web browser to ensure it works ok. Then do the same thing again, and use something like Live Http Headers or Charles Proxy to examine the request and response headers. I imagine there will be some kind of session cookie passed back and forth after a successful login. You would need to read the cookie from the response of a successful login and send it back with the request for your XML page.
EDIT
There is a simple example of performing a post with a cookie using HttpClient and another using HttpsUrlConnection in my question and answer in this thread.
If it's a single retrieval, why bother with sessions? Have the website serve the XML file as direct response to the request with the user credentials by the application.
If you need to use sessions for some reason, you need to search the reply to the POST request for the session id and deliver the session id with your request for the XML data. The session id is likely in the cookies, it can also be in the hyperlinks of the page (depends on how you setup your login).
PHP sessions are implemented with cookies. Whenever you call session_start(), the response includes a Set-Cookie header which sets a browser cookie containing the PHP session ID. By default (and unless you have renamed the cookie with the session.name PHP configuration option), the name of the cookie is PHPSESSID.
After logging the user in, subsequent requests need to be issued with a Cookie header containing the session ID. Before submitting each request, simply make sure that you re-use the CookieStore object that you used to log the user in (call AbstractHttpClient#setCookieStore on any new HttpClient instance).
Essentially, you need to programmatically perform a post using the httpclient libs in Android, pull the session cookie from the response (set-cookie headeR), and make sure to include that cookie in any subsequent requests to the server.
You can Google for how to use httpclient to do a post, like this. Here's an example of inserting a cookie into a request using httpclient. I'll let you read some javadocs / find some more examples to put it together.
Related
Is it possible to realize such flow:
User puts login and password into form on my site and submits it
My server grabs data and uses Guzzle or another tool to make a request and proceed with authentication some site (for example facebook)
Facebook sends back cookies back to guzzle, which will contain some token(s) which will be used further.
Server sets cookies for the user. Next time user would like to go on facebook - he will be logged in (using grabbed earlier cookies)
I am using PHP and Guzzle on server, but it does not quite matter.
As I guess, it is not possible, because we should set cookies for another domain, which is not secure. But, I haven't found any alike topics, so I must be sure.
Thanks!
I have websiteA and websiteB. websiteB is coded in PHP+MYSQL.
Both websites use jquery.
Everything works like this: the user logs in on websiteA and after this happens I want to log him automatically to websiteB, so that if he goes to websiteB in a new tab, he is already logged in there and will not have to manually login.
I have access to both websites, but they are located on different servers.
Right now, once the user logs in on websiteA, I am sending a request to websiteB using jquery post, containing the encrypted username+password.
The login form works fine on websiteB, but there seems to be a problem with the sessions. The user is not logged in on websiteB even if the data was sent correctly and the login form works fine.
So I tried to do this:
1.user logs in on websiteA.
2.send request to websiteB and retrieve the session_id, using jquery post. We'll call the session id "sess1";
3.then I sent the username+password+session_id(sess1) to websiteB
Now websiteB has the session data and when I try to do the login on websiteB, I also try to set a custom session_id, based on the data previously retrieved.
So I use this code on websiteB:
<?php
session_id($_POST['session_id']);
session_start();
?>
If I keep sending POST requests to retrieve the session_id from websiteA to websiteB, the session_id is the original one(sess1), which is correct. Now if I open websiteB in a new browser page, the session_id is different. Like if I ran two different sessions on same browser.
This is probably because websiteB considers the data incoming from websiteB as being a client, and then when I open websiteB it treats it as another client.
So the question is, how can I mirror a login usign jquery or curl?
The only way right now seems to be to open a popup window containing the login data for websiteB as parameters.
I am assuming that both websites share access to the same database.
If so, I would suggest adding a column to the users table that will be used as a single-use login key. Also, another column for expiration time of that key (unless you keep track of last-login times).
User Logs into ws1
ws1 validates credentials
if credentials are valid generate random key and update appropriate table columns (tempkey value and expiration)
Page is rendered with javascript/jquery set to send a request to ws2(http://ws2.com/login.jsp?tempkey=[...])
ws2's login.jsp sees the tempkey and initiates a secondary login method
Secondary login on ws2 searches for the key in the users table and begins a new session for the user, bypassing normal login procedures.
ws2 sends the cookie for the session on ws2 back to the user through the jquery connection on ws1's page
In this case, there would be a different session_id for each site. I don't know if you're trying to share session data beyond just the user's identity. That would require some more technical knowledge to give a more thorough answer but the premise would be similar.
Hope that helps,
fie
I have an app that i use at networking events where users walkup and accept it. It seems that linkedin keeps the user logged in when i pass them through the "accept application" dialog.
Anyone know how to log the user out using code? As this would save me closing the browser everytime to kill the session, which slows down the process greatly.
If you are doing everything server-side via PHP, then you don't need to kill that session, since it's only tied to the token. You just need to request a new token when the next user logs in. If you feel it's more secure, you could just set the token to "" at the end.
If you are doing client-side authentication via Javascript API, then check out:
IN.Auth, IN.Event, and IN.UI
Specifically, the section titled "Log the User Out"
It appears you just need to call the logout method, specifically:
IN.User.logout(callbackFunction, callbackScope)
Where callbackFunction is a function you define that gets called after the session ends, and callbackScope is an optional object that you want to run the callback function on (defaults to the window object).
It also mentions that running the above simply clears the cookies for the session, so hypothetically, if the above didn't fit, you could write a browser-based (which is to say, not running on the domain-restricted page, but in a browser add-on that has full access to all domain cookies) that deletes the cookies when the user reaches a certain page (maybe the thank you page?)
I imagine that would be overkill, however.
Update:
Based on some further reading of how the javascript API works (specifically how the API key that your app has for every request), it looks like the cookie that controls the user's session is tied to your domain, not linkedin (although this is odd, since linkedin shouldn't have access to your domains cookies to confirm that the session is still valid). I'd still use their build in method, but you could also kill the session by clearing whatever cookie they create through your own function.
In this question I asked how to POST to a php file form a vb.net app: POST to webpage in vb.net (win forms, desktop, not ASP.net)
So now I've logged in the user user by posting their username and password to the php file, the php file then does security/checks they exist/etc and if both username and password are correct is stores the user ID in a session variable.
Now if the vb.net app tries to download data off a page which needs the user to logged in, it checks this by doing:
if (!isset($_SESSION['uid'])) {
header("Location: index.php");
}
However after having logged correctly in the app the session variable is not set.
How does session work with a vb.net app like this?
When the user logs in successfully should I download the user id and keep it in the vb.net app and then post it to each page that requires authentication?
To have your PHP website recognize the VB.NET client as a logged on user you need to send a cookie. When you use session_start() in PHP, PHP will set a random ID in the visitors cookie to link the session with. What you need to know is what this ID is. More specifically, on your first request to the website, you should read this out.
In your other question I saw you are using a WebClient instance. If you sent a request, there is also a property called ResponseHeaders. This is a collection that contains the response headers from the webserver (in this case the webserver that's running your site). This will likely contain a cookie code too.
For example:
Dim myWebClient As New WebClient
Dim responseArray = myWebClient.UploadData("http://...", "POST", Encoding.ASCII.GetBytes(postData))
Dim MyCookie As String = cl.ResponseHeaders.Item(HttpResponseHeader.SetCookie)
myWebClient.Headers.Add(HttpRequestHeader.Cookie, MyCookie)
You have to process the responseArray in this example, but this is the basic principle for storing a cookie and sending it back. The next request you send out with the same instance of this WebClient will contain the cookie your site responded with the last request. Basically it means, the SessionID that the PHP site creates will be membered and send back.
Personally I would write a little wrapper class around this. Just make a function that sends out a login request to your specific site. Then store the cookie, and every request you will send later you add this cookie to it. You could easily write a 'generic' method like
string GetPage(string URL);
string PostPage(string URL, string PostData)
etc.
You should basically implement that functionality of a browser with respect to session management. That is, either you should provide the session-id in your URL (if the webserver supports and allows this) or you should store the session-id in the cookie, and when doing the HTTP-request, you should pass the cookie along. THis is the preferred method.
Note that System.Web contains classes for doing Http requests and receiving Http responses, so you dont have to write everything by yourself, just use the classes in that namespace and you can implement it fairly easy.
Sessions in PHP (and every other web platform I know) work this way:
Client makes first request / sends login data
PHP creates session for client, a random session ID is generated
PHP script marks that session as "logged in"
PHP sends generated session ID to client (usually through a cookie)
Client makes subsequent requests and always sends along the session ID
PHP recognizes the client by the session ID and loads session data
If your client makes a request without sending the session ID some way, it will always be "not logged in" - the session ID is what makes the PHP script "remember" its state.
If your WebApp library doesn't handle session cookies (I'm not familiar with vb.net programming and libraries), look for a library that can, or - maybe easier - have the PHP script print out the session ID on successful login. Catch that printout in your app, and add the following GET parameter:
?PHPSESSID=123456
(123456 being your session ID) to every subsequent request you make from your app to PHP. That way, PHP should be able to recognize the correct session.
As I said, I'm not familiar with VB.NET so there may be more elegant, ready-made solutions for this. But this is definitely going to work if there are none.
Get your desktop app to read in the headers which are sent by the php script before the actual page content.
One of these headers will be the cookie data, you need to store this because you need to send this every time you request a page from the php script.
So, you need to find out how to read headers from a response and write headers for a request.
If this is to hard for you then you can pass data via the url GET parameters, like: http://example.com/?loginid=12345
Please any one tell me will webservice using nusoap helps to Pass PHP Session one site to other site. I need to pass the user session to my other site using PHP/Ajax/SOAP call
This is pretty easy with a callback (here we have server1 as origin, as server2 as server to redirect to):
From server1, redirect user to http://server2/auth_from_server1.php?id=12345
On server2 (internally, in the PHP code of auth_from_server1.php), do a request to http://server1/secret/check_session_id.php with the ID, 12345.
On server1, in the implementation of check_session_id.php, validate the ID and return OK, FAILURE, and session related data you want to pass, such as username, ...
On server2, when the call returns with OK, store the transferred session data, and give the user a cookie and session for this server.
Depends... If you use cookies to send the sessionid from the user to the server, no. Since the browser won't send the cookie to a different domain than what it was originated from.
You can however send the sessionID as a parameter in the ajax call. But this will only work if the other site have access to the session data. Eg. same server and session data is in /tmp