In this question I asked how to POST to a php file form a vb.net app: POST to webpage in vb.net (win forms, desktop, not ASP.net)
So now I've logged in the user user by posting their username and password to the php file, the php file then does security/checks they exist/etc and if both username and password are correct is stores the user ID in a session variable.
Now if the vb.net app tries to download data off a page which needs the user to logged in, it checks this by doing:
if (!isset($_SESSION['uid'])) {
header("Location: index.php");
}
However after having logged correctly in the app the session variable is not set.
How does session work with a vb.net app like this?
When the user logs in successfully should I download the user id and keep it in the vb.net app and then post it to each page that requires authentication?
To have your PHP website recognize the VB.NET client as a logged on user you need to send a cookie. When you use session_start() in PHP, PHP will set a random ID in the visitors cookie to link the session with. What you need to know is what this ID is. More specifically, on your first request to the website, you should read this out.
In your other question I saw you are using a WebClient instance. If you sent a request, there is also a property called ResponseHeaders. This is a collection that contains the response headers from the webserver (in this case the webserver that's running your site). This will likely contain a cookie code too.
For example:
Dim myWebClient As New WebClient
Dim responseArray = myWebClient.UploadData("http://...", "POST", Encoding.ASCII.GetBytes(postData))
Dim MyCookie As String = cl.ResponseHeaders.Item(HttpResponseHeader.SetCookie)
myWebClient.Headers.Add(HttpRequestHeader.Cookie, MyCookie)
You have to process the responseArray in this example, but this is the basic principle for storing a cookie and sending it back. The next request you send out with the same instance of this WebClient will contain the cookie your site responded with the last request. Basically it means, the SessionID that the PHP site creates will be membered and send back.
Personally I would write a little wrapper class around this. Just make a function that sends out a login request to your specific site. Then store the cookie, and every request you will send later you add this cookie to it. You could easily write a 'generic' method like
string GetPage(string URL);
string PostPage(string URL, string PostData)
etc.
You should basically implement that functionality of a browser with respect to session management. That is, either you should provide the session-id in your URL (if the webserver supports and allows this) or you should store the session-id in the cookie, and when doing the HTTP-request, you should pass the cookie along. THis is the preferred method.
Note that System.Web contains classes for doing Http requests and receiving Http responses, so you dont have to write everything by yourself, just use the classes in that namespace and you can implement it fairly easy.
Sessions in PHP (and every other web platform I know) work this way:
Client makes first request / sends login data
PHP creates session for client, a random session ID is generated
PHP script marks that session as "logged in"
PHP sends generated session ID to client (usually through a cookie)
Client makes subsequent requests and always sends along the session ID
PHP recognizes the client by the session ID and loads session data
If your client makes a request without sending the session ID some way, it will always be "not logged in" - the session ID is what makes the PHP script "remember" its state.
If your WebApp library doesn't handle session cookies (I'm not familiar with vb.net programming and libraries), look for a library that can, or - maybe easier - have the PHP script print out the session ID on successful login. Catch that printout in your app, and add the following GET parameter:
?PHPSESSID=123456
(123456 being your session ID) to every subsequent request you make from your app to PHP. That way, PHP should be able to recognize the correct session.
As I said, I'm not familiar with VB.NET so there may be more elegant, ready-made solutions for this. But this is definitely going to work if there are none.
Get your desktop app to read in the headers which are sent by the php script before the actual page content.
One of these headers will be the cookie data, you need to store this because you need to send this every time you request a page from the php script.
So, you need to find out how to read headers from a response and write headers for a request.
If this is to hard for you then you can pass data via the url GET parameters, like: http://example.com/?loginid=12345
Related
1 year ago, I've made a PHP social network which works pretty well. Via browser, once the user logs in, i use the $_SESSION variable to store credentials and remember the user through all pages. Everything works well.
Now i'm trying to build the app version of the website, using Phonegap and jQuery Mobile. At first glance i tried to use the same approach: to manage user login i implemented a simple form with Email and Password, which sends an ajax request to a "check_login.php" file.
If email and pw are correct, i "login the user", which simply means i store everything in the session variable, as i always did.
What i noticed, which is driving me crazy, is that using this approach data are not being stored into the $_SESSION variable. Using my app, each time I send an AJAX request to the server, the $_SESSION variable is gone and it looks like login data are not stored. Like i never logged in. (Of course, i've put session_start() at the top of each page). Moreover, each time i send an AJAX request to the server, the session_id() changes.
Is that normal? Does this mean with Phonegap i can't rely on $_SESSION variable or I am just missing something?
If yes, why?
The largest problem with this approach is that a pure PHP session will expire in a short period of time (the default is 24 minutes). So you're making inconsistently spaced calls that could cross that boundary of time.
There's a couple of ways around this
First would be to change your session handler to save the sessions in something more long term (like a database). More overhead but you could retain the session ID for a longer period and store it within your localStorage.
The second would be to directly tokenize your logins. So a user logs in and gets some random hash back (i.e. md5(uniqid(mt_rand(), true))) that serves as their token. Then your app contacts a special page and passes that token and you can check it in your token table. This would afford you more control over your logins. You could expire the tokens at will and would not be at the same mercies of PHP sessions.
The current situation is that I have two separate applications.
One is the one I called *user_client* and the other is the server.
The user_client is mostly the "mark-up", HTML stuff. This application will just throw a request to the server and receive a response. That's all.
On the other hand, the server is a CodeIgniter installation, where its controllers will receive a request thrown by the client, process the data and send back a response.
But I am rather confused on how to I validate a user and where to store their sessions.
The problem now is that I have a login form in the user_client, and I setup JavaScript code to do Ajax calls to the server.
Something like:
success : server_path + 'login',
What I have done so far is that I used the data sent by the Ajax call to the server to validate the user and save a session.
I am doing it right? When I saved a session, it is a session of the server, right? Not the user_client.
And how do I check if the user is logged in? Is it still possible to do the following?
if (isset($_SESSION['whatever']))
What am I missing out about sessions? What are my misconceptions about sessions, because I believe there are.
A session (simplified) is just a way for the server to keep track of one particular user across page requests. CI sessions will keep track of the user by creating a cookie on the client browser that saves a session id - that session id (if set up to) will be saved in the database in the "ci_sessions" (default name) table. All session data will be saved there.
Doing it the way you suggest is fine, just be sure to use a secure connection when you pass the authentication to the server.
am working on a menu-drived USSD app developed in php. My app communicates with a telecom's ussd server using xmlrpc client-server interactions. so each time a mobile user sends a request to the telecom network which inturn re-routes that request to my php through the telecoms USSD gateway/server, my websever(apache) interpretes each request as an entirely new session, so the session variable values i set for one request are not passed on the next request even if it's still the same session. Am wondering why this is so and how i can solve this problem, so that i have my session values set for as long as the session is not ended. Thanks in advance.
How do you define "session"?
The XML-RPC client in this case needs to inform the server that it has a session - this is usually done silently by a cookie (PHP will send a Set-Cookie on session start with the id), or by a GET parameter in the URL. You could even do it yourself within the RPC response/request (although you'd have to write your own session handlers to extract the session ID).
Without that identifier - your server will treat each new request as a new session.
Basically I have a form in my android app that lets the user enter his/her username and password and then this is POSTED to a very simple login page made in PHP online. I then need to access a second pae which pulls down data from an xml file - in order to access this page the user must be logged in. The xml page that the user sees is dependent of their username.
On my login page I have
session_start();
session_register("username");
At the beginning of each page that checks login I have
<?php
session_start();
?>
and to check if the user is logged in I use a simple if statement
if(!session_is_registered("username")){?>
display whatever
else bla
How can I make this work in my android application? I am unable to go to the xml page after I have logged in because it does not recognise me as being logged in.
Firstly, perform the login using a web browser to ensure it works ok. Then do the same thing again, and use something like Live Http Headers or Charles Proxy to examine the request and response headers. I imagine there will be some kind of session cookie passed back and forth after a successful login. You would need to read the cookie from the response of a successful login and send it back with the request for your XML page.
EDIT
There is a simple example of performing a post with a cookie using HttpClient and another using HttpsUrlConnection in my question and answer in this thread.
If it's a single retrieval, why bother with sessions? Have the website serve the XML file as direct response to the request with the user credentials by the application.
If you need to use sessions for some reason, you need to search the reply to the POST request for the session id and deliver the session id with your request for the XML data. The session id is likely in the cookies, it can also be in the hyperlinks of the page (depends on how you setup your login).
PHP sessions are implemented with cookies. Whenever you call session_start(), the response includes a Set-Cookie header which sets a browser cookie containing the PHP session ID. By default (and unless you have renamed the cookie with the session.name PHP configuration option), the name of the cookie is PHPSESSID.
After logging the user in, subsequent requests need to be issued with a Cookie header containing the session ID. Before submitting each request, simply make sure that you re-use the CookieStore object that you used to log the user in (call AbstractHttpClient#setCookieStore on any new HttpClient instance).
Essentially, you need to programmatically perform a post using the httpclient libs in Android, pull the session cookie from the response (set-cookie headeR), and make sure to include that cookie in any subsequent requests to the server.
You can Google for how to use httpclient to do a post, like this. Here's an example of inserting a cookie into a request using httpclient. I'll let you read some javadocs / find some more examples to put it together.
Please any one tell me will webservice using nusoap helps to Pass PHP Session one site to other site. I need to pass the user session to my other site using PHP/Ajax/SOAP call
This is pretty easy with a callback (here we have server1 as origin, as server2 as server to redirect to):
From server1, redirect user to http://server2/auth_from_server1.php?id=12345
On server2 (internally, in the PHP code of auth_from_server1.php), do a request to http://server1/secret/check_session_id.php with the ID, 12345.
On server1, in the implementation of check_session_id.php, validate the ID and return OK, FAILURE, and session related data you want to pass, such as username, ...
On server2, when the call returns with OK, store the transferred session data, and give the user a cookie and session for this server.
Depends... If you use cookies to send the sessionid from the user to the server, no. Since the browser won't send the cookie to a different domain than what it was originated from.
You can however send the sessionID as a parameter in the ajax call. But this will only work if the other site have access to the session data. Eg. same server and session data is in /tmp