Using sessions in PHP with native mobile app - codeigniter

I am using CodeIgniter framework at server side to provide backend to a native mobile app. At server side I have to use cart. I am using db for sessions in CodeIgniter. When we use sessions then session_id in cookie of browser let the session work. Mobile app retrieves the session ID from server response after login request is successful - then this session_id can be sent from mobile app to the server in further requests.
Now is there a way in CI to get the data of session on the basis of sessionid? Like if mobile app sends session_id 'xyz' then how can I get the data of session whose session_id is 'xyz'? And how it will be better to work with the session while using cart with it?
Following is my login code. Sessions are being stored in ci_session table of db.
function login($username,$password){
$query = $this->db->select("id,username")->get_where(self::$table, array('username' => $username,'Password'=>$password));
$arr=$query->row_array();
if($arr){
$this->session->set_userdata(array('id'=>$arr['id'],'username'=>$arr['username']));
// $this->db->insert('ci_sessions',array('user_id'=>$arr['id'],'username'=>$arr['username']));
return $this->session->userdata('session_id');
}
return 0;
}
So how can I get session w.r.t. session_id and how can cart work with it? Because I think as in this document: http://codeigniter.com/user_guide/libraries/cart.html cart automatically stores content against loaded session. Therefore I need to load session according to session_id so I can use CIs cart library correctly.
How can I load the session based on session_id, or tell me if I am doing it in a bad way?

First of all, the Question is very bad formatted and written down thus not very understandable...
If I understand it right, here is what You get:
in mobile native app user logs in - a request to a CI based server
CI server logs user in, saves data to session and saves session to the DB while responding to mobile app with session ID
mobile app then sends the session ID whenever a request is send to the server (like when using a cart)
Now - if You have the session stored in the database table ci_session, You only need to request the contents of session stored in the DB table based on session ID provided, so using Your login script example I would do sth similar:
function loadSessionBySessionId($sessionId){
$query = $this->db->select("*")->get_where('ci_session', array('session_id' => $sessionId));
return $query->row_array();
}
Extend the code to meet Your coding convention and server side application. Somewhere else at the server side application where You process the request from mobile app You will check whether the session is returned or not (if no, a FALSE should be returned) and take further actions...
Don't know how Your cart is working - this part is just upon You (unless You make it clear to us what You want us to help You with Your cart).

Related

Apex Oracle : How to open a public page using a different session?

I have a public Apex app and I need a specific page to open in a different session. Not use the same session as the rest of the application.
Basically, I have in Chrome
Tab1 : Page A which requires authentication
Tab2 : Page B which is public
I need both pages to run in two different sessions.
At Page B level, I set "Rejoin Sessions" to Disabled
Now when I run the application, Page B opens in a new tab with a new session as expected, however, it kills the session of Page A and I'm redirected to login.
I'm using an Authentication Scheme with custumized session sharing:
Does anyone know how to solve that please ?
Thanks
Cheers,
The reason it kills your session from page A is because, on the client side, sessions are implemented using cookies. Both page A and page B are trying to use the same session cookie, with different session IDs, so whichever one writes to it more recently kills the other one.
If you view your cookies using your browser's F12 developer tools, you should see one like this:
Name Value Domain Path
ORA_WWV_APP_115305 ORA_WWV_FMN08hWNhlkjRDOIU_y yoursite.com /pls/apex (etc)
This is the session cookie for APP ID 115305, and the browser will send it along with every HTTP request to yoursite.com/pls/apex. Apex uses the Value to verify that you are allowed to have access to the session specified by the ID in your URL. If you modify either the cookie or the URL's session ID, your session is lost and Apex creates a new one for you.
So the Name + Domain + Path forms a sort of unique key here. You can only have one session for each unique Name + Domain + Path cookie.
I think the easiest solution here is to put your public page B in a separate Apex App. That way it'll have its own session cookie with a different Name.
(This is how the Oracle App Builder, which is also an Apex App, can have a separate session going at the same time without killing your app's session. Its cookies use a Name like ORA_WWV_USER_9872)
The alternatives are to use a different Domain or Path for page B, but that's trickier.
It looks like you've set up a custom Authentication Scheme, so I think your cookie would look like:
Name Value Domain Path
SESSIONCOOKIE ORA_WWV_FMN08hWNhlkjRDOIU_y yoursite.com / (etc)
But you're still using the same Authentication Scheme (and the same cookie) for both page A and page B, so they can't have separate sessions. This would be an instance where it might be nice if Oracle supported using a separate Authentication Scheme for each page, but they don't. This is what separate apps are for.

How to persist session data in an AngularJS application?

I have this web app written in AngularJs that uses cookies to authenticate the requests in a REST API.
Once the user logs in, the cookie is received and saved in the browser and all subsequent requests send the cookie along to the server. There is a 'User' service/object that saves the isLoggedIn and username values (for UI display/flow). Now, if I refresh the 'index' page, the app restarts. This means that my 'User' object will be cleared. I can check the existence of the cookie and, if it exists, I can re-set the User.isLoggeIn as true and go from there, but I still need to get the username, id, etc. So, my question is: should I create some sort of 'ping' endpoint in the API to verify if a cookie is valid? And if so, the API would send me back the user id and username... OR should I persist the user data in LocalStorage (or some similar cross-browser thing) and just assume the user is logged if the cookie exists? Any other subsequent requests to pages that need authentication would be automatically verified. So, this question really only applies to the scenario where the user refreshes the index page - hence, restarting the web app. I want to know the user data because I want to show a 'user homepage' instead of the 'public homepage'.
What do you think?
You should depend on the server for this. Creating something like GetCurrentUser method on the server. If the user is logged on this returns all the properties of the user.
You should even use this server api to get the user data after authentication completes. So the authentication become two step process first the user is authenticated, on success another call is made to server to get current users details.
Using client side local storage for this would not be ideal because you need to do lot of book keeping, in terms of cleaning the logged in user on log out or session expiration.
Also cookies from server would have expiration times an all, and making decision just based on cookie existing on local storage may not be optimal approach.

where should i set the session api and client

Here is the situation, I have setup 2 codeigniter installation.
One will be a client and one will be an api. Further improvement of this will be
The client will no longer be made from CI, since I wasn't using it's functionality. I just wanted to start out from a mvc framework right on.
My question would be where should I be storing sessions? during logins.
Below is how I did it, but I think I did it wrong.
I created a Login from the client. This one sends the login credentials to the api and then validated these information sent by the client and will return a message/response whethere the login credentials were valid or not.
If the login details were valid, the api will set a session in it's controller like this
if(true) {
$this->session->set_userdata($array);
}
This is in the login_controller I created. Is this the proper way of setting sessions for a client of a api?
You've got the concept right. You only want to set session userdata upon verifying the user supplied valid credentials.
That said, make sure you're using encrypted cookies and, if you're handling sensitive data, store your session data in the database. Storing it in the database causes some odd quirks with how sessions work in CodeIgniter (mainly with flashdata), but the added benefit of positive identification might potentially be worth it.
By storing the session data in the database, you can more positively verify a user is who they claim to be (in terms of the session ID, etc). The reason is because the session data is stored only in the database, and not in the session cookie (which only holds session ID and some other info). That way, even if someone does manage to decrypt the cookie, they can't modify their userdata to pretend to be someone else, like you might be able to with the cookies only method.

Using php sessions with ajax (mobile device)

I will explain my problem. I need to know if the steps below are correct:
The user enters their login details and these get submitted to the php server. If these are correct, I want to use the php code to start a session. However, because this is a mobile device I will be using html5 session storage. Now, my mobile website is all ajax based with no page reloads. So if the user submits the correct login credentials, I make an ajax response back to the user with what information? The SID/session_id of the session_start? Then, on the mobile device I place this session_id into the html5 session storage?
So, if these steps are correct, when the user then navigates around the website they are now logged in. And if they want to do something e.g. access a private page this creates an ajax request to the php server... this is where I am stuck. I assume that in this ajax request I send the session_id from the html5 session storage object, how does the php server use this id to prove the user is authentic? Presumably I need some kind of if statement and if it's not satisfied, send an ajax response back which my javascript will interpret as redirecting the user back to the login screen.
Many thanks if anyone can help me, it will be much appreciated as I am very stuck.
Note that cookies are not an option...
You could theoretically use HTML5 local storage to store the session ID, or transmit the session ID as a GET parameter in every request and pass it manually to PHP using session_id(), but I can't see the benefit. You might as well rely on cookies for this - they will be transmitted in Ajax requests.

node.JS - express framework create session and check if session exist

This is my server code, please take a look at the comments in the code.
var app = express.createServer();
app.get('/', function(req, res){
// create a session with the value of an email for example: me#gmail.com
});
// down here I want to check the session if the session exist
if( there is a session with value me#gmail.com){
//do stuff
}
The way sessions are implemented in Connect / Express doesn't allow for a custom session ID. This is partly because of security. So there's a bunch of things you can do.
Store everything in the session. Create an index somewhere (perhaps in a database) that maps email addresses to session IDs, so you can look up sessions by email.
Store only the email in the session. Keep the actual session data elsewhere (perhaps in a database), where you can fetch it by email address.
Create your own session middleware, perhaps based off Connect's code. The actual session code in Connect is a mere 300 lines. But be very careful to keep security features intact.

Resources