1

I have an iPhone application that communicates with a database which includes things like users data (i.e. username, email, password), I created a PHP API for that and I connect to that API in the iPhone app. My problem here is: I save the user id in $_SESSION to restore it later when needed, when I manually log in, $_SESSION variables get saved easily and I can call them whenever I want, but when the app automatically logs in (which is obviously after the first log in where username and password get store in the iPhone keychain), $_SESSION variables doesn't get saved, I noticed that they only get stored and called with no problems after I log out which translates to after session_destroy();, here's the php code I use for logging in and out

session_start();

function login($user, $pass) {

    $result = query("SELECT IdUser, username FROM login WHERE username='%s' AND pass='%s' limit 1", $user, $pass);

    if (count($result['result'])>0) {

        $_SESSION['IdUser'] = $result['result'][0]['IdUser'];

        print json_encode($result);

    } else {
        errorJson('Authorization failed');
    }
}

function logout() {

    $_SESSION = array();
    session_destroy();
}

I tried to add session_destroy(); at the start of login method, but it didn't work.

By the way, I can alternatively save IdUser in NSUserDefaults or iPhone keychain and send it to the server when needed. Is it safe/not wrong to do such things on the app side rather than the server side?

Community
  • 1
  • 1
Abdelrahman Eid
  • 881
  • 2
  • 13
  • 28
  • I don't really get your question .. Are you sure session works with your app and cookie or something else wouldn't be better? – kero Feb 19 '14 at 00:46
  • I am sure it works, I know this is strange somehow. But probably it could be me missing something. BTW, if I called `logout` in `applicationDidEnterBackground` and called `login` in `applicationDidBecomeActive` it works (for sure, after I close the app while it's in the background and open it again), but only for this time, when I re-open the app it doesn't work. – Abdelrahman Eid Feb 19 '14 at 00:51
  • Is ``session_start()`` being called at the very first line in the PHP file (before anything is outputted)? – SameOldNick Feb 19 '14 at 00:59
  • Your SQL statement suggests that you're using saving your password in plaintext. That's not true, right? – kba Feb 19 '14 at 01:00
  • @kba No, that's right. I created this database with the intention of gaining new skills and testing. – Abdelrahman Eid Feb 19 '14 at 01:02
  • @Abd-ElrhmanRizk Don't ever ever do that. Please read [PHP: Safe Password Hashing](http://www.php.net/manual/en/faq.passwords.php). – kba Feb 19 '14 at 01:54
  • 1
    Is the iPhone apo sending the cookie with session id? – Anthony Feb 19 '14 at 03:50

2 Answers2

0

Try the logout function like this ...

function logout() {
session_start();
    $_SESSION = array();
    session_destroy();
}
Tushar Goel
  • 11
  • 2
0

Try the logout function like this

function logout() {

   session_start();
   session_destroy();

}

  1. When you call the logout function,it doesn't call the session_start(),so you can't get the the session variables.You should get it before you will edit it.

  2. Detail:php.net session_destory()

SuperBear
  • 111
  • 1
  • 6