0

I'm building a website, I have 2 pages, one for login and one to upload a file.

When the user logs, i set the ID of that user fetched from a Database into the $_SESSION variable, when the user goes to the second page, he can upload a file, and a reference to that file and the ID are stored into the database.

My front-end btw sits on a completely different domain, so when the user will upload the file, the $_SESSION variable will be empty, how can I solve?

PHP check login page on example.com

<?php 
session_start();

if (isset($_SERVER['HTTP_ORIGIN'])) {
    header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
    header('Access-Control-Allow-Credentials: true');
    header('Access-Control-Max-Age: 86400');    // cache for 1 day
}

$a = headers_list();

require "Connessione.php";

$connessione = new Connessione();
$ris = $connessione->getUtente($_POST['id']);

if($risposta['esisteGia'])
{
    $_SESSION['ID'] = $ris[0]['IDUtente'];
    $_SESSION['Tipo'] = $ris[0]['Ruolo'];
}


echo json_encode($risposta);
?>

Front end for the login written in ReactJS on example2.com

const esisteGia = () => {
    async function controllaCheEsistaGia() {
      let udid = "123";
      let data = new FormData();
      data.append("id", udid);
      let risposta = await fetch(
        "https://example.com/checkLogin.php",
        {
          method: "POST",
          body: data,
          credentials: "include"
        }
      );

      risposta = await risposta.json();
      console.log(risposta);
    }

    controllaCheEsistaGia();
  };

At this point the $_SESSION is set.

uploadFile.php on example.com

session_start();
if (isset($_SERVER['HTTP_ORIGIN'])) {
    header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
    header('Access-Control-Allow-Credentials: true');
    header('Access-Control-Max-Age: 86400');    // cache for 1 day
}

if(!isset($_SESSION['ID'])). //Here the session is now empty again
{
    header("Location: {$_SERVER['HTTP_ORIGIN']}/Login");
    die();
}
header('Content-Type: application/json; charset=utf-8');


$filePDF = $_FILES['pdfDaCaricare']['tmp_name']; //Also the $_FILES is not set, and I don't know why

example2.com/uploadFile

const caricaFile = async e => {
    const fd = new FormData();
    fd.append("pdfDaCaricare", file);


    await axios.post(
      "example.com/uploadFile.php"
      fd,
      {
        method: "POST",
        credentials: "include",
        headers: {
          "content-type": "multipart/form-data"
        },
        onUploadProgress: function(progressEvent) {
          let percentCompleted = Math.round(
            (progressEvent.loaded * 100) / progressEvent.total
          );
          document.getElementById("percentuale").innerText = percentCompleted;
        }
      }
    );
  };

Even in localhost, this doesn't work

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Davide Vitiello
  • 328
  • 1
  • 2
  • 12
  • ___My front-end btw sits on a completely different domain___ What does that mean. Do you mean you login in one domain and upload from another???# – RiggsFolly Feb 27 '20 at 16:39
  • never use key `['ID']` for session – Zeljka Feb 27 '20 at 16:40
  • RiggsFolly: My Backend php files are on one domain, whereas HTML, CSS and JS file are on another one. Zeljka: could this be the problem? – Davide Vitiello Feb 27 '20 at 16:42
  • @DavideVitiello change it to `['myId']` or anything else and you will see :) – Zeljka Feb 27 '20 at 16:43
  • @DavideVitiello sorry, I just tested it on php 7.3 and its working with `['ID']`, so probably that is not a problem. But in general its always recommended to define your own custom key in session. And always check `isset && !empty` – Zeljka Feb 27 '20 at 16:48

1 Answers1

-1

The Session Cookie works only for one domain so probably even https://example.com/checkLogin.php would have problems with the session.

Maybe use different messures to authenticate your user.

Fabian Börner
  • 168
  • 1
  • 2
  • 9
  • And is not possible to have the session cookie passed from domain to domain? – Davide Vitiello Feb 27 '20 at 16:58
  • for subdomains other resources behind the same domain via session cookie. You could share the sessions in the backend via some store and then try to restore it by passing the session id via the url or something. dont know why some people start to downvote my answer, seems they didnt understood it. – Fabian Börner Feb 27 '20 at 17:13
  • check your session cookie for what domain its created. Probably checkout this post https://stackoverflow.com/questions/14611545/preserving-session-variables-across-different-domains – Fabian Börner Feb 27 '20 at 17:14
  • also verify that the session cookie value is in php so the session can be restored – Fabian Börner Feb 27 '20 at 17:23