Please any one tell me will webservice using nusoap helps to Pass PHP Session one site to other site. I need to pass the user session to my other site using PHP/Ajax/SOAP call
This is pretty easy with a callback (here we have server1 as origin, as server2 as server to redirect to):
From server1, redirect user to http://server2/auth_from_server1.php?id=12345
On server2 (internally, in the PHP code of auth_from_server1.php), do a request to http://server1/secret/check_session_id.php with the ID, 12345.
On server1, in the implementation of check_session_id.php, validate the ID and return OK, FAILURE, and session related data you want to pass, such as username, ...
On server2, when the call returns with OK, store the transferred session data, and give the user a cookie and session for this server.
Depends... If you use cookies to send the sessionid from the user to the server, no. Since the browser won't send the cookie to a different domain than what it was originated from.
You can however send the sessionID as a parameter in the ajax call. But this will only work if the other site have access to the session data. Eg. same server and session data is in /tmp
Related
Hi I know that sessions are in the server side , when a user logged into a site we create a session and store user data in that session , and that session ID is a unique one . if multiple users logged in to the same server sessions with unique session Id’s are created .
cookie is a small file that the server embeds on the user's computer. Each time the same computer requests a page with a browser.
in the browser cookie I have seen variables called SID and SSID
are those referring to servers session ID ???
or
from what parameters of the cookie , session identify this is the
correct user.
**when I send a request to the server
are those id's in cookie matched with the server session id ?
my question is how the server knows this is the correct user ??
I have the idea of sessions and cookies , but there combination in not clear .
actually I have searched this for very long time , and i asked my friends and they also seems they don't have a clear picture of this
please explain the scenario , thanks in advance.
That's the point, the server can't know this.
More in detail:
The server generates a unique id, then this is id is send to the client and the client stores this id in his cookies, for every request the client sends his id so the server knows which session he has to take for this user but the problem is, if someone else knows the id because he's listening the network traffic, he can use the session id and the server thinks, it's the same client as before and he'll take the same session as before. This is called Session hijacking
To prevent this, you have to store the ip address for each session key and check if they match but event then it's not 100% sure because if the client is in a NAT secured network and the attacker is in the same network too, they'll have the same IP address for the server and the server can't distinguish the attacker and the client.
Follow this tutorial to make your sessions safer.
Cookies are sent together with every HTTP request, in the HTTP header. The session id stored in the session cookie is indeed used to match the user issuing the request with the session data on the server.
This presents a huge security hole when used over non-secured connection cause anyone intercepting the traffic could just copy this session cookie and use it to issue his own requests. That's why more and more sites (Facebook, Google, ...) are "https only" sites. If that was not the case, it would be quite easy to get user data on most wi-fi hotspots.
When a session is initiated between the browser and server, a session id is generated. This sessionid is sent to browser in a Cookie. This cookie name can be configured, but by default it is PHPSESSID.
By default, php stores the session data in server's file system in a file named "sess_SESSION_ID" (SESSIONI_ID the same value what you have in the Cookie). All the data you write to session using $_SESSION['some_key'] = $some_val; are stored in this file.
So next time when you send a request to the server, your browser will send the Cookie in the header. By using this Cookie data php determines whether there is a active session. And using this Cookie, server knows which file and which data to read.
Cookies are stored on the client side.. and there lifetime can be set
every time a user visits your Site a new session id value is generated.
SID is just variable defined in php.ini and you can change them.
so a cookie and Session ID are 2 different things
have a look here this would help you
PHP cookies and sessions security for user accounts
Are cookies necessary to create a login page with php (that keeps you logged in across several pages), or could a session variable do the trick without use of cookies?
Answer simply is yes.
Sessions rely on a session id.
Sessions in php use a cookie to store this id, but you can change it to append the id to each url instead of saving it in cookies.
ini_set('session.use_cookies', false);
in the config variable url_rewriter.tags, you see which URLs automatically get rewritten to append this id:
"a=href,area=href,frame=src,form=,fieldset="
As Pekka mentions, jQuery requests and special JS/Ajax/jQuery calls are not getting rewritten by default and you have to append the id manually like:
<script>
$.get('/yourpage/?PHPSESSID=<?php echo session_id(); ?>');
</script>
the session name can be obtained via session_name();, default is in the config variable: session.name.
Use ini_get(); or phpinfo(); to see your configuration.
Actually if you are using sessions you can use a cookie or a special GET/POST fields to identify yourself towards the server. The server then using the user id, passed either by GET/POST or a cookie - knows which data set is connected to the current user/client at server side. This way using sessions you can store data at server side with only sending a special user id to the client.
This way you can save login data for each user, thus login functionality can be implemented using sessions in PHP.
And yes, you can solve login with no other cookie just the Session user ID, or use the POST/GET session id.
Typically sessions are more reliable when working with keeping a user logged in. Sessions are stored on the server, whereas cookies are stored client sided. So that falls down to: do you want your login dependent on something the client can control and manipulate?
I've had first hand issues with logins being hacked with cookies, so I suggest sessions.
No, you do not need cookies in order to set up a login system, sessions suffice. However, if you seek a "Remember me" option, you need cookies in order to keep the user logged in beyond the point when the user closes the browser or the session expires.
http://www.php.net/manual/en/features.sessions.php
For maintaining a session with server, you need to identify yourself (your page) to server. So that server can keep track of your page's subsequent request and maintain a session.
So, if you only have username and password option on your login page, then cookies may not be required. Refer to the following link:
Passing the Session ID from page to Server
You can have a special URL which will have identifier as part of URL, which will inform server about your subsequent request.
However, please note that using this type of special URL is not always the recommended approach. Because this is insecure than cookie based session. For example, someone may paste their own link on a chat or in an email, and other person will be entered to your site without username/password.
You can do authentication without cookies (or sessions which are a special case of cookies) but it won't be on a page. This method is called HTTP Authentication.
The current situation is that I have two separate applications.
One is the one I called *user_client* and the other is the server.
The user_client is mostly the "mark-up", HTML stuff. This application will just throw a request to the server and receive a response. That's all.
On the other hand, the server is a CodeIgniter installation, where its controllers will receive a request thrown by the client, process the data and send back a response.
But I am rather confused on how to I validate a user and where to store their sessions.
The problem now is that I have a login form in the user_client, and I setup JavaScript code to do Ajax calls to the server.
Something like:
success : server_path + 'login',
What I have done so far is that I used the data sent by the Ajax call to the server to validate the user and save a session.
I am doing it right? When I saved a session, it is a session of the server, right? Not the user_client.
And how do I check if the user is logged in? Is it still possible to do the following?
if (isset($_SESSION['whatever']))
What am I missing out about sessions? What are my misconceptions about sessions, because I believe there are.
A session (simplified) is just a way for the server to keep track of one particular user across page requests. CI sessions will keep track of the user by creating a cookie on the client browser that saves a session id - that session id (if set up to) will be saved in the database in the "ci_sessions" (default name) table. All session data will be saved there.
Doing it the way you suggest is fine, just be sure to use a secure connection when you pass the authentication to the server.
Basically I have a form in my android app that lets the user enter his/her username and password and then this is POSTED to a very simple login page made in PHP online. I then need to access a second pae which pulls down data from an xml file - in order to access this page the user must be logged in. The xml page that the user sees is dependent of their username.
On my login page I have
session_start();
session_register("username");
At the beginning of each page that checks login I have
<?php
session_start();
?>
and to check if the user is logged in I use a simple if statement
if(!session_is_registered("username")){?>
display whatever
else bla
How can I make this work in my android application? I am unable to go to the xml page after I have logged in because it does not recognise me as being logged in.
Firstly, perform the login using a web browser to ensure it works ok. Then do the same thing again, and use something like Live Http Headers or Charles Proxy to examine the request and response headers. I imagine there will be some kind of session cookie passed back and forth after a successful login. You would need to read the cookie from the response of a successful login and send it back with the request for your XML page.
EDIT
There is a simple example of performing a post with a cookie using HttpClient and another using HttpsUrlConnection in my question and answer in this thread.
If it's a single retrieval, why bother with sessions? Have the website serve the XML file as direct response to the request with the user credentials by the application.
If you need to use sessions for some reason, you need to search the reply to the POST request for the session id and deliver the session id with your request for the XML data. The session id is likely in the cookies, it can also be in the hyperlinks of the page (depends on how you setup your login).
PHP sessions are implemented with cookies. Whenever you call session_start(), the response includes a Set-Cookie header which sets a browser cookie containing the PHP session ID. By default (and unless you have renamed the cookie with the session.name PHP configuration option), the name of the cookie is PHPSESSID.
After logging the user in, subsequent requests need to be issued with a Cookie header containing the session ID. Before submitting each request, simply make sure that you re-use the CookieStore object that you used to log the user in (call AbstractHttpClient#setCookieStore on any new HttpClient instance).
Essentially, you need to programmatically perform a post using the httpclient libs in Android, pull the session cookie from the response (set-cookie headeR), and make sure to include that cookie in any subsequent requests to the server.
You can Google for how to use httpclient to do a post, like this. Here's an example of inserting a cookie into a request using httpclient. I'll let you read some javadocs / find some more examples to put it together.
In this question I asked how to POST to a php file form a vb.net app: POST to webpage in vb.net (win forms, desktop, not ASP.net)
So now I've logged in the user user by posting their username and password to the php file, the php file then does security/checks they exist/etc and if both username and password are correct is stores the user ID in a session variable.
Now if the vb.net app tries to download data off a page which needs the user to logged in, it checks this by doing:
if (!isset($_SESSION['uid'])) {
header("Location: index.php");
}
However after having logged correctly in the app the session variable is not set.
How does session work with a vb.net app like this?
When the user logs in successfully should I download the user id and keep it in the vb.net app and then post it to each page that requires authentication?
To have your PHP website recognize the VB.NET client as a logged on user you need to send a cookie. When you use session_start() in PHP, PHP will set a random ID in the visitors cookie to link the session with. What you need to know is what this ID is. More specifically, on your first request to the website, you should read this out.
In your other question I saw you are using a WebClient instance. If you sent a request, there is also a property called ResponseHeaders. This is a collection that contains the response headers from the webserver (in this case the webserver that's running your site). This will likely contain a cookie code too.
For example:
Dim myWebClient As New WebClient
Dim responseArray = myWebClient.UploadData("http://...", "POST", Encoding.ASCII.GetBytes(postData))
Dim MyCookie As String = cl.ResponseHeaders.Item(HttpResponseHeader.SetCookie)
myWebClient.Headers.Add(HttpRequestHeader.Cookie, MyCookie)
You have to process the responseArray in this example, but this is the basic principle for storing a cookie and sending it back. The next request you send out with the same instance of this WebClient will contain the cookie your site responded with the last request. Basically it means, the SessionID that the PHP site creates will be membered and send back.
Personally I would write a little wrapper class around this. Just make a function that sends out a login request to your specific site. Then store the cookie, and every request you will send later you add this cookie to it. You could easily write a 'generic' method like
string GetPage(string URL);
string PostPage(string URL, string PostData)
etc.
You should basically implement that functionality of a browser with respect to session management. That is, either you should provide the session-id in your URL (if the webserver supports and allows this) or you should store the session-id in the cookie, and when doing the HTTP-request, you should pass the cookie along. THis is the preferred method.
Note that System.Web contains classes for doing Http requests and receiving Http responses, so you dont have to write everything by yourself, just use the classes in that namespace and you can implement it fairly easy.
Sessions in PHP (and every other web platform I know) work this way:
Client makes first request / sends login data
PHP creates session for client, a random session ID is generated
PHP script marks that session as "logged in"
PHP sends generated session ID to client (usually through a cookie)
Client makes subsequent requests and always sends along the session ID
PHP recognizes the client by the session ID and loads session data
If your client makes a request without sending the session ID some way, it will always be "not logged in" - the session ID is what makes the PHP script "remember" its state.
If your WebApp library doesn't handle session cookies (I'm not familiar with vb.net programming and libraries), look for a library that can, or - maybe easier - have the PHP script print out the session ID on successful login. Catch that printout in your app, and add the following GET parameter:
?PHPSESSID=123456
(123456 being your session ID) to every subsequent request you make from your app to PHP. That way, PHP should be able to recognize the correct session.
As I said, I'm not familiar with VB.NET so there may be more elegant, ready-made solutions for this. But this is definitely going to work if there are none.
Get your desktop app to read in the headers which are sent by the php script before the actual page content.
One of these headers will be the cookie data, you need to store this because you need to send this every time you request a page from the php script.
So, you need to find out how to read headers from a response and write headers for a request.
If this is to hard for you then you can pass data via the url GET parameters, like: http://example.com/?loginid=12345