1

First of all, i'm asking this before i make all of the code changes necessary to implement this in my website. 99% of data in my application is generated via ajax, and transmitted as json back to javascript which is responsible for generating all html content. this works similar to Angular.js but with a php backend. the only thing index.php does is start the session, and some other session related tasks, like distinguishing a guest and a logged in user and updating the last time seen for the guest/user's ip address.

Here's what i want to do:

  1. get session id after creating it using session_id() to get the session's id.
  2. add it to a an array and json encode it.
  3. decode the json with javascript and manually create/update the session id cookie with jQuery cookie plugin.

My question is if store the php session id in this matter, will php still treat the session as valid when making requests to my ajax api? I'm attempting to build an application that with a static html/js frontend that interacts entirely through this ajax api. the goal is to offer similar charachteristics and performance of what you get with Angular.js. Is this possible, and if so is this advisable?

r3wt
  • 4,642
  • 2
  • 33
  • 55
  • 1
    Why would you want to update the session cookie via json ? PHP will set it automatically. Or why wouldn't it ? – Lorenz Meyer Jul 31 '14 at 22:34
  • @LorenzMeyer i'm attempting to have a static index.html and have all php through the ajax controller. hence wanting to pass the session id manually via json then set it in the browser. I want to do away with the php index file completely, and opt for an entirely html js front end. – r3wt Jul 31 '14 at 22:41

3 Answers3

2

Look at Can an AJAX response set a cookie?. There's no need to set the cookie via json and javascript. PHP and http will do it for you.

Community
  • 1
  • 1
Lorenz Meyer
  • 19,166
  • 22
  • 75
  • 121
1

If you change your session id with Javascript, php will not show it as valid unless you send the old session id and the new session id to the server and set the old session id to the new session id in php.

I am not sure that you would want to do this though.

fatcinco
  • 11
  • 1
  • not even close to what i'm asking but i appreciate the attempt. i'm talking about creating the sessions and updating the session ids in php then passing them back in the json responses and setting/updating them via javascript. since all cookies are sent with the http request, i'm theorizing that this will work as long as the session prefix is valid and the session id is valid. – r3wt Jul 31 '14 at 22:42
1

Do not do that. If you do that, session hijacking will be much easier done. Stick with PHP setting the cookie with the option httponly. Alone the option 'httponly' makes it harder to do session hijacking.

Charlotte Dunois
  • 4,638
  • 2
  • 20
  • 39