1

I have a xampp local server (for testing my telegram bot with php) with ngrok that open my server to the internet. When i try to call my webhoook.php file on the ngrok url (and on the localhost) my session ID is always the same (as it should be). But when an user tries to send a message to my bot (triggering the webhook) the session id keeps changing every time, so it doesn't save the data! My ngrok server is using https and my xampp local server uses http. (i also tried to use https for xampp but the session id keeps changing regardless).

webhook.php

<?php
session_start();
require 'vendor/autoload.php';
require 'variables.php';

if(isset($_SESSION["statusNewAsta"]))
    $statusNewAsta = $_SESSION["statusNewAsta"];

$bot = new TelegramBot\Api\BotApi($apiToken);

$update = json_decode(file_get_contents('php://input'), true);
file_put_contents('log.txt', session_id(), FILE_APPEND);

echo session_id();

if(isset($update['message'])) {
    $message = $update['message'];
    $chatId = $message['chat']['id'];

    if (isset($message['text']))
        switch ($message['text'])
        {
            case '/start': commandStart($chatId); break;
            case '/newAsta': 
                if(in_array($chatId,$adminIds))
                    commandNewAsta($chatId); 
                else
                    $bot->sendMessage($chatId,'Non puoi eseguire questo comando!');
                break;
            default: 
                if(in_array($chatId,$adminIds))
                    if(isset($_SESSION["statusNewAsta"]))
                        switch ($stepCreatingAsta)
                        {
                            case "waiting_name": getNameNewAsta($chatId,$message['text']);
                        }
                break;
        }
}

i was saving the data i received from the webhook in a file for debugging, i tried to use that same method for checking live the session id after the webhook.php is called within a request and i can see that the session id keeps changing. When i try to access a variable the array is obviuosly empty.

I wanted my session id to remain the same through the webhook calls, and i wanted my user to send a name of an object that the bot has to remember, that's why i'm not using a database, cause the data is sent to the database after the user provides all the data. Also i want my bot to remember in witch state the request for creating a new object is (that's the data i want to remember with the session)

Cesare Diodato
  • 23
  • 4

1 Answers1

2

You simply cannot assume that the session will always be the same when writing code for a webhook.

The whole assumption is wrong. Sessions are associated with clients. As long as you are the client you see your sessions, but that cannot be case for your users.

In short: Do not use session information in a webhook.

KIKO Software
  • 15,283
  • 3
  • 18
  • 33
  • Not sure who downvoted this, did someone not like the truth? :-) But yes, confirming - it makes no sense to try and use a session in a webhook handler, _unless_ it was some sort of callback like in a web payment situation, where an identifier has been passed _from_ the client side at the start of the whole process. But that is not the case with a telegram webhook. – CBroe Jul 28 '23 at 06:43
  • @CBroe just making a statement (which is not even that truthy as you think) is not an *answer*. – Your Common Sense Jul 28 '23 at 07:08
  • 1
    @YourCommonSense I think you mean the truth is not a _solution_. I only gave a reason why the session changes, some advice, but no specific solution for what the code attempts to do. – KIKO Software Jul 28 '23 at 07:13
  • I see, so everytime a webhook is called the session id will always be different, thanks I didn't know that, I'm a newbie in PHP. I'll accept your answer. One more thing, I can use a file on the server for containing that variable? It's a safe alternative? – Cesare Diodato Jul 28 '23 at 08:24
  • I also found out that telegram bot doesn't support cookies – Cesare Diodato Jul 28 '23 at 08:27
  • Yes, no cookie either, it is basically server-2-server communication, not client-2-server. Sorry, I can't tell if storing the variable in a file is safe, in the sense that it will always work. It's certainly possible, but I would at least use [a lock on the file](http://www.hackingwithphp.com/8/11/0/locking-files-with-flock) when you access it, to prevent two processes changing the variable at the same time. Normally you would use a database for something like this. – KIKO Software Jul 28 '23 at 08:29
  • hmmm i see, i think i will use a database then, thanks for the answers! – Cesare Diodato Jul 28 '23 at 08:56