-1

1 year ago, I've made a PHP social network which works pretty well. Via browser, once the user logs in, i use the $_SESSION variable to store credentials and remember the user through all pages. Everything works well.

Now i'm trying to build the app version of the website, using Phonegap and jQuery Mobile. At first glance i tried to use the same approach: to manage user login i implemented a simple form with Email and Password, which sends an ajax request to a "check_login.php" file. If email and pw are correct, i "login the user", which simply means i store everything in the session variable, as i always did.

What i noticed, which is driving me crazy, is that using this approach data are not being stored into the $_SESSION variable. Using my app, each time I send an AJAX request to the server, the $_SESSION variable is gone and it looks like login data are not stored. Like i never logged in. (Of course, i've put session_start() at the top of each page). Moreover, each time i send an AJAX request to the server, the session_id() changes.

Is that normal? Does this mean with Phonegap i can't rely on $_SESSION variable or I am just missing something? If yes, why?

Alberto Fontana
  • 928
  • 1
  • 14
  • 35
  • check `session_id()`. confirm that you're getting the SAME session ID everywhere. If you aren't, then the session cookie is getting lost and your mobile devices are getting a new/different session. e.g. you're not "losing" your sessions - you're just getting NEW ones. – Marc B Nov 10 '14 at 15:03
  • 1
    phonegap/cordova don't work with session. is well known issue. use other approach like localstorage, or use deviceId to authenticate. just google there are alot of howto. – wayne Nov 10 '14 at 15:14

1 Answers1

1

The largest problem with this approach is that a pure PHP session will expire in a short period of time (the default is 24 minutes). So you're making inconsistently spaced calls that could cross that boundary of time.

There's a couple of ways around this

First would be to change your session handler to save the sessions in something more long term (like a database). More overhead but you could retain the session ID for a longer period and store it within your localStorage.

The second would be to directly tokenize your logins. So a user logs in and gets some random hash back (i.e. md5(uniqid(mt_rand(), true))) that serves as their token. Then your app contacts a special page and passes that token and you can check it in your token table. This would afford you more control over your logins. You could expire the tokens at will and would not be at the same mercies of PHP sessions.

Community
  • 1
  • 1
Machavity
  • 30,841
  • 27
  • 92
  • 100
  • As @wayne said and as i didn't know, this is an issue with Cordova. BTW Your solution is the one i was thinking about, but before speding time on it i wanted to make sure that Cordova really doesn't work with PHP Sessions. BTW Thanks for answer :) – Alberto Fontana Nov 10 '14 at 15:42