21

I'm logged in on Banana.com. Banana has a api link on /app/ajax_loggedin.

My website is Monkey. Monkey runs a simple GET json to banana's /app/ajax_loggedin, which returns a loggedin value either 1 or 0.

Why is it always returning 0 when it's through ajax, even though I really am logged in on Banana and also when accessing the link directly gives me 1. How can the developer at Banana fix it?

I would have understood it if it's a server side call, but I don't understand why it wont tell me if im logged in, if Banana makes the request. Running session_id() check, it generates a new one each call through ajax and when accessing directly it works just fine and keeps the same.

Is there any fix or another way to do this?

Bruce
  • 1,647
  • 4
  • 20
  • 22
Karem
  • 17,615
  • 72
  • 178
  • 278
  • Sounds like dev at Banana needs to store sessions (with timeout value) in a table. Then it can query the table and tell if you're still logged in. – Jordan Jul 01 '15 at 13:45
  • How will that solve the solution? And without knowing what user in the Monkey end. They just want to know if they are logged in to Banana or not. – Karem Jul 01 '15 at 14:20
  • Obviously you'd have to set it to accept a parameter (userid) to tell if logged in. – Jordan Jul 01 '15 at 14:23
  • I dont get it. So Monkey's site should know the userid to send over to Banana? That's not what im looking for, instead the same browser the user are sitting on, it should just make a call that can verify that that user that are visiting are logged in on Banana. How can i improve my explanation if it doesnt make sense? :( – Karem Jul 01 '15 at 16:30
  • If I understand you well, you need to set up CORS on banana.com so that AJAX requests can be made from monkey.com, unless JSONP is a possibility. – Ja͢ck Jul 07 '15 at 00:06
  • So you want to crawl Banana and act like a real visitor authenticating with Banana.com API? – Junior Jul 07 '15 at 00:06
  • You need to give us more details of the actual implementation (and less monkey/banana prose). Let’s start with this one: Is this an _actual_ AJAX request (using CORS), or just a JSONP request? – CBroe Jul 07 '15 at 00:07

5 Answers5

8

Every point of entry or call to the server (APIs) needs to have session_start() at the beginning. If it does not read in the session identifier, it will act as if there wasn't one and then return a new session identifier. When your browser gets the response, it will overwrite the session identifier with the new one. Make sure that you have session_start() at the top of all places where you make a call to the server so that it knows what session to use.

Cohan
  • 4,384
  • 2
  • 22
  • 40
  • That is not true, it depends on the version of PHP you are using – kayleighsdaddy Jul 07 '15 at 17:40
  • 1
    I'm intrigued. Can you provide a reference or an example? If I'm wrong I'd like to learn something new. – Cohan Jul 07 '15 at 17:50
  • I guess I stand corrected, it is a setting in the ini file on whether or not you need to use session_start or not. I just know that many of the servers I program on if you use session_start you get an error. Sorry about the down vote, it will not let me take it off. – kayleighsdaddy Jul 07 '15 at 18:03
6

There's actually not enough information to definitively answer this question. However, here's what we can tell based on this information.

If you're using the standard PHP session handler the session cookie will have a domain associated with it (which if not configured in php.ini or in your code will likely just be the domain the script was first called from). So for example, if you call a script that invokes session_start() from the domain www.stackoverflow.com and another script on chat.stackoverflow.com starts a session it will not have access to the cookie with the domain www.stackoverflow.com and thus will begin a new session.

Domains in the cookie header can bubble up, but not down. So if you want your session cookie to have access to all subdomains of Banana.com you must be sure to set the domain parameter correctly in each session initialization request with that domain.

See session_set_cookie_params and session_get_cookie_params for more details...

The domain that the cookie is available to. Setting the domain to 'www.example.com' will make the cookie available in the www subdomain and higher subdomains. Cookies available to a lower domain, such as 'example.com' will be available to higher subdomains, such as 'www.example.com'. Older browsers still implementing the deprecated » RFC 2109 may require a leading . to match all subdomains.

Additionally, you should note that cookies sent with the secure or http_only parameter set to true will not be readable over insecure or JavaScript initiated connections such as in the case of Ajax.

Sherif
  • 11,786
  • 3
  • 32
  • 57
4

The reasons why you would get a new session ID are

  • You cleared the session ID cookie (typically named PHPSESSID)
  • You visited a page that called session_regenerate_id() (unlikely)
  • Your session hit the max lifetime and was garbage collected. This is a distinct possibility if banana.com has a lot of visitors, because garbage is collected randomly when PHP is invoked
  • session_id() was invoked with a different session

So what to do?

  • Check out the session files on the server. They're simple text so you can open them and see what's inside. Make sure your session exists.
  • Check php.ini for a short session lifetime.
  • Load sessions into something else and see if continues. Using a MySQL/memcached system with a custom session handler could reveal issues.
Machavity
  • 30,841
  • 27
  • 92
  • 100
2

Instead of calling api and checking if session is active. The session id is stored in the cookie if specified where to store the session id in config file, or you can actually check if session id is set using following code after

session_start();      
$session_id=session_id();     
if(isset($_SESSION[$session_id]))
Machavity
  • 30,841
  • 27
  • 92
  • 100
Varshaan
  • 555
  • 9
  • 22
0

Something in the origin code, and/or in the ajax code is setting the session save handler. So for example your origin may be saving sessions to database while the ajax script is saving sessions to file.

Here is the php manual: http://php.net/manual/en/class.sessionhandler.php

ekerner
  • 5,650
  • 1
  • 37
  • 31