How do you read php session in HTML using javascript?

Question

First of all I am developing a mobile application using phonegap / cordova so this is the reason I am looking to go this route.

I am wondering is it possible to get session status from php into javascript as I'm looking to secure my whole application to users only.

The php I have is as follows;

<?php

$dbhost = '';
$dbuser = '';
$dbpass = '';
$db = '';
$tbl_name=""; 

$conn = mysql_connect($dbhost,$dbuser,$dbpass);
mysql_select_db($db);

$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$encrypt_password=md5($mypassword);

$myusername = stripslashes($myusername);
$mypassword = stripslashes($encrypt_password);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($encrypt_password);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){

    session_register("myusername");
    session_register("mypassword");
    session_start();
    $_SESSION["Login"] = "YES";
    header("location:login_success.html");
    echo $_SESSION['data'];
}
else {
    session_start();
    $_SESSION["Login"] = "NO";
    echo $_SESSION['data'];
}

?>

and the html file contains the following javascript

<script>$.get('checklogin.php', function(data) {
                if (data != "YES"){
                        window.location.replace("http://aam.prettypottery.ie/index.html");
                                    }
        });</script>

I think I am close, only everytime I try to look at any of my html pages, they're all sending me back to the index.html.

Any help would be great. Thanks

As pid mentions this will not be a very secure technique. For example, I could simply turn off javascript, or run my own script to circumvent yours. This is client side validation.. never trust the client — RyanS, Feb 18 '14 at 15:24

pid · Answer 1 · 2014-02-18T15:32:24.783

Yes, it looks like you are close. But the other way around.

If security is of any importance to you, you should take into account this:

it's not the browser's responsibility to decide if a user is authorized and a page accessible;
the server should redirect if a reserved page is accessed with insufficient athorization (not logged in);
the $.get('checklogin.php', function(data) { shouldn't be there at all, this should be done server-side (in PHP);
your query $sql="SELECT * FROM $tbl_name WHERE ... is still vulnerable, at least use PDO;
passwords are hashed (not encrypted) with MD5 which may suffice for your site, but generally use salting and stronger hashes (SHA1 at least);
don't just test the result count but actually obtain some info from the DB and use that to authenticate.

Something like this:

SELECT username FROM accounts WHERE ...

and this:

$authenticated = strcasecmp($username, $resulting_username) === 0;

To solve your problem right now, you would have to render in PHP at least a variable that tells the Javascript code to redirect. Something like this.

In HTML/PHP:

<script>
  if (<?php echo ($authenticated ? 'true' : 'false'); ?>)
  {
    alert("Good boy!");
  } else {
    alert("Bad Trudy is bad!");
  }
</script>

Producing this HTML result:

<script>
  if (true)
  {
    alert("Good boy!");
  } else {
    alert("Bad Trudy is bad!");
  }
</script>

It suffices to deactivate Javascript and the page will not react at all to this code and display its content without any hinderance.

Links:

I will certainly look at security issues in more depth but but for the moment, working with Phonegap, how else would you propose I protect my pages to restrict to only users for after they register / login? — Phughes, Feb 18 '14 at 15:28
I have added some more explanation on how to render a PHP variable inside your JS code so you can react client-side. Still, it makes puppies cry :) — pid, Feb 18 '14 at 15:34
Cheers pid. After considering the puppies more, how would you feel about a HTTP header? I'm trying to read up on those as an alternative but of course, it doesn't seem too straight forward. In your opinion, am I going the right direction or wasting my time? Thanks again — Phughes, Feb 19 '14 at 14:29
You mean when the server sees you are not authenticated it redirects you to the login? SURE! That's exactly [what you should do](http://stackoverflow.com/a/768472/3227403). — pid, Feb 19 '14 at 15:33

How do you read php session in HTML using javascript?

1 Answers1