Keep PHP Sessions alive between two requests using C# HttpClient

Question

I want know if it's possible to keep PHP sessions alive between two requests...

I do the requests using Flurl plugin:

    public const string ApiUrl = "http://localhost/z/api.php";

    public static string MethodName()
    {
        using (FlurlClient client = new FlurlClient())
        {
            string res = client.HttpGet(string.Format("{0}?action={1}", ApiUrl, "captcha"), true);

            //Some actions...

            return client.HttpPost(ApiUrl, new { action = "resolve-captcha", input = r }, false);
        }
    }

    public static string HttpPost(this FlurlClient client, string url, object data, bool keepalive = false)
    {
        return client.Request(url).PostUrlEncodedAsync(data).ReceiveString().GetAwaiter().GetResult();
    }

    public static string HttpGet(this FlurlClient client, string url, bool keepalive = false)
    {
        return client.Request(url).GetStringAsync().GetAwaiter().GetResult();
    }

And in the PHP part (API):

//if isset $_GET then switch action key...
case "captcha":
    if (session_status() == PHP_SESSION_NONE)
        session_start();

    $_SESSION['phrase'] = "hello";
    break;

//if isset $_POST then switch action key...
case "resolve-captcha":
    $secret = @$_SESSION["phrase"];

    if(session_status() == PHP_SESSION_NONE)
        die("No session!");
    else
        $coreData["secret"] = $secret;

    $input = @$_POST["input"];
    $coreData["valid"] = $input === $secret;
    break;

But for some reason, every time I do the next step (Post) the api returns that there isn't any session running.

As you can see here:

I have been reading and all the answers says the same, that I have to use cookies, cookies for what? To store the secret that the server should keep? I need to know how can I do two requests with the same session or at least if this is possible, because I don't want to use MySQL (with an ID system, ie), I prefer to keep it easy.

Answer 1

HTTP being a stateless protocol the only way to "keep sessions alive" is to provide a session identifier in the query string or though inclusion of cookies that were returned as part of the first, authenticating, request.

That is the typical paradigm for a user accessing a web application from a web browser, or even in cURL.

Most API's, going back to the days of SOAP through the present, are set up differently. They have you authenticate with every request. Just more practical with how they are used... from serverside code or with Xhr client side.

For example authenticating using JWT tokens is a common approach these days. You can expose the URI with the signed token to the end user, and short of potentially replay attacks, not have to worry.

I think instead of me trying to explain you should read this excellent article: http://shiflett.org/articles/the-truth-about-sessions There is a lot going on under the hood in PHP when it comes to sessions and cookies - worth checking out the section in the manual that pertains to INI settings related to those two.

OK, so the API is the PHP code right...?

session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.

A good first step might be making the request to the API via your web browser, then looking in the response, do you see cookies being sent by the server?

On subsequent requests to the API, do you see those cookies being used - and we assume not asking you to re-authenticate? That's the gist of it. Again, depending on the nature of the API cookie based sessions might not be the best approach.

So, looks like support for cookies was added to that HTTP wrapper you use...https://github.com/tmenier/Flurl/issues/14

Possibly a more native approach? Struggling trying to get cookie out of response with HttpClient in .net 4.5