-1

I have reduced the code in both files to try and figure out what is going on.

In my first file loginuser.php, I am running the following lines:

<?php
session_start();

$_SESSION['user_id'] = "test";

// more code follows; nothing else that involved user id or session

To double check that $_SESSION variable is indeed set, I ran the following modified approach:

<?php
session_start();

$_SESSION['user_id'] = "test";

$response['success'] = false;
$response['message'] = $_SESSION['user_id'];

echo json_encode($response);
exit;

When $response['success'] is false, the message is printed. So at this point I know that the $_SESSION variable was indeed set and I am getting a body response.

In my second file addrelease.php, I then run the following lines to check if I am seeing the session variable even before I do anything else:

<?php
session_start();

$response['message'] = $_SESSION['user_id'];

// more code would follow but again i will force message to pop and exit
$response['success'] = false;
echo json_encode($response);
exit;

The app will toast "Error, no response" if there is no body provided in the response (I am using retrofit) and this is exactly what happens. Given this, I know that addrelease.php does not even echo the response.

To confirm my suspicion that something is going on with the $_SESSION variable, I replaced $_SESSION['user_id'] in addrelease.php with "test2" and now I am getting a body with the message that I forced.

Most posts that I am finding seem to resolve their issue by ensuring the session_start() is the very first thing that is called and doubling checking the session_save_path. I have looked at both of these and can't find any issues.

Hoping someone can help me, thanks in advance!

P.S. this is all new to me so please excuse if I am making a very basic mistake somewhere.

How exactly are you calling your addrelease.php script? Sounds like whatever is making that background(?) request, is probably not sending the session id.

Here is how i understand it to happen

NewReleaseActivity.java

Call<ReleaseModel> releaseModelCall = apiInterface.addRelease(
                owner.trim(),
                binding.textInputEditTrackName.getText().toString().trim(),
                binding.textInputEditArtist.getText().toString().trim(),
                label.trim(),
                binding.textInputEditISRC.getText().toString().trim(),
                binding.textInputEditUPC.getText().toString().trim(),
                releaseDate,
                TextUtils.join(",", buttonStates),
                percentage
                );

ApiInterface.java

@FormUrlEncoded
    @POST("addrelease.php")
    Call<ReleaseModel> addRelease(@Field("owner") String owner,
                                  @Field("track_name") String trackName,
                                  @Field("artist") String artist,
                                  @Field("label") String label,
                                  @Field("isrc") String isrc,
                                  @Field("upc") String upc,
                                  @Field("release_date") LocalDate date,
                                  @Field("button_states") String buttonStates,
                                  @Field("release_progress") float releaseProgress);

Additional Context

My goal is to get the session variable to bind with owner in my prepared statement:

    $sql = "INSERT INTO releases (owner, track_name, artist,
                      label, isrc, upc,
                      release_date, button_states, progress) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)";

    $stmt->bind_param("ssssssssd",
        /*$_POST["owner"]*/ $_SESSION['user_id'],
        $_POST["track_name"],
        $_POST["artist"],
        $_POST["label"],
        $_POST["isrc"],
        $_POST["upc"],
        $_POST["release_date"],
        $_POST["button_states"],
        $_POST["release_progress"]
    );
dan
  • 347
  • 2
  • 14
  • 1
    How exactly are you calling your `addrelease.php` script? Sounds like whatever is making that background(?) request, is probably not sending the session id. – CBroe Nov 29 '22 at 10:52
  • @CBroe Hi, answered your question with an edit, let me know if it's what you wanted to see. – dan Nov 29 '22 at 15:41
  • That doesn't look like you were sending a session id anywhere? (Unless the used package is supposed to take care of that automatically somehow?) – CBroe Nov 30 '22 at 06:53
  • @CBroe so i don't need to do anything with the session variable in java, i just want to use it as one of the variable in m sql prepared statement. editing my question with more details on that. – dan Nov 30 '22 at 15:16
  • It doesn't matter whether you want to "do" anything with the data in the Java part - you still need to send the session ID with your request, otherwise PHP will not know _which_ session to pick up again. – CBroe Nov 30 '22 at 15:20
  • @CBroe Sorry, could you explain the steps I should be taking? I am not familiar with the session id, is this something that $_SESSION requires to work correctly? Again, this is all new to me. – dan Nov 30 '22 at 15:23
  • https://stackoverflow.com/questions/1535697/how-do-php-sessions-work-not-how-are-they-used – CBroe Dec 01 '22 at 06:51
  • @CBroe I see a lot of mentions to cookies and URLs for web apps. I am working in android studio on an mobile app to learn the topic, so how would I go about handling this? Overall I still don't understand how I should be going about this even after reading the linked post. Could I get more specific help? – dan Dec 01 '22 at 13:18
  • 1
    @dan go catch a contract with a PHP consultancy, they can just run you through. The other option is documentation after you've tried Q&A and had to as a-new. – hakre Dec 01 '22 at 13:26
  • For starters, figure out how to see the raw requests and responses or how to log them to a log file in your Java app. Indirect debugging through toast popups give you too little information and bear the possibility of something being incorrectly processed on the Java side, while the API is actually fine. – deceze Dec 01 '22 at 13:27
  • @deceze using the debugger, the specific error that comes back is 'java.lang.IllegalStateException: Expected BEGIN_OBJECT but was STRING at line 1 column 1 path $' which from my experience doesn't actually help me all that much other than telling me something is wrong with my json response. – dan Dec 01 '22 at 14:00
  • As long as you don't send a session ID, PHP will likely produce error output at the point where you try `$response['message'] = $_SESSION['user_id'];` - so your response won't be valid JSON then any more. – CBroe Dec 01 '22 at 14:27
  • 1
    _"I see a lot of mentions to cookies and URLs for web apps."_ - the main aspect is, that PHP needs to get the session ID passed _somehow_. Cookies are the method of choice for that in a web setting, but you can of course submit it in a different way from your android app - as a GET or POST parameter. (Might need to modify PHP settings to not _only_ accept it via cookie though.) – CBroe Dec 01 '22 at 14:40
  • 1
    If you send an initial request without a session ID, then PHP will create a new session - and set a cookie with that ID. So your Android app would then have to grab the value from that Set-Cookie header in the response at least then. Or you could have your app generate a random session ID upfront, and send it with the first request already. – CBroe Dec 01 '22 at 14:43
  • 1
    @CBroe That last one could lead to session fixation attacks and should not be allowed by a properly configured PHP installation. – deceze Dec 01 '22 at 14:46
  • @deceze fair point. If fishing it out of a Set-Cookie header in android seems too much hassle, then it could also be added to the JSON data that gets returned by the endpoint, then the Android app can easily grab it from there. – CBroe Dec 01 '22 at 14:48
  • @CBroe Thanks, so from all this my understanding is that on login.php I should be getting a session ID from somewhere, and then passing that session ID to addrelease.php so it knows which session to grab from? And if this is the case, how (and which) session ID should I be passing? Is this something that is generated when I call start_activity(), or do I have to generate something with say UUID for example in login.php and pass that along? If the latter, how do I then let $_SESSION know that they should use this generated string as the session ID? – dan Dec 01 '22 at 17:09
  • You get the session id, by making a request to a script using session_start(). And you then need to send it back with your next request, so that PHP will know which session to pick up again. – CBroe Dec 02 '22 at 07:04
  • 1
    You should use a CookieJar, as shown [here](https://stackoverflow.com/a/53768352/12763954) (just replace `"login"` with `"loginuser.php"`). Then the session cookie will be automatically transmitted. – Olivier Dec 02 '22 at 08:54
  • @Olivier This appears to be exactly what I was missing and now the $_SESSION variable is indeed working across the .php files. I also did some extra reading to add an interceptor to my OkHttpClient which should be helpful for logging requests when I need to see them. – dan Dec 02 '22 at 21:24

2 Answers2

0

Just to give this post an answer, a comment by Oliver mentioned I should use CookieJar and that seemed to solve my issue of having the session variable work across .php files.

I then ran into an issue where my CookieJar implementation was non-persistent, however I have also found a solution to this and you may read about it here.

Thank you all for the help.

dan
  • 347
  • 2
  • 14
-1

echo session_id();

After you start the session, the value of the above should be the same for both pages. If not, it is highly likely that there is some issue with your .htaccess file where some rule is impacting on the session.

Randika
  • 129
  • 1
  • 2
  • A comment mentioned I should use CookieJar and that seemed to solve my issue of having the session variable work across .php files. But perhaps an issue that I am having now allures to what you have mentioned as in my new post I have found that while my loginuser.php file is able to access the correct session file after i call regenerate id, the other addrelease.php file is using the old session file before regeneration: https://stackoverflow.com/questions/74663032/app-using-old-session-file-after-session-regenerate-id – dan Dec 07 '22 at 19:19