PHP Session when using desktop app

Question

In this question I asked how to POST to a php file form a vb.net app: http://stackoverflow.com/questions/2615335/post-to-webpage-in-vb-net-win-forms-desktop-not-asp-net So now I've logged in the user user by posting their username and password to the php file, the php file then does security/checks they exist/etc and if both username and password are correct is stores the user ID in a session variable.

Now if the vb.net app tries to download data off a page which needs the user to logged in, it checks this by doing:

if (!isset($_SESSION['uid'])) {
    header("Location: index.php");
}

However after having logged correctly in the app the session variable is not set. How does session work with a vb.net app like this?

When the user logs in successfully should I download the user id and keep it in the vb.net app and then post it to each page that requires authentication?

Answer 1

You should basically implement that functionality of a browser with respect to session management. That is, either you should provide the session-id in your URL (if the webserver supports and allows this) or you should store the session-id in the cookie, and when doing the HTTP-request, you should pass the cookie along. THis is the preferred method.

Note that System.Web contains classes for doing Http requests and receiving Http responses, so you dont have to write everything by yourself, just use the classes in that namespace and you can implement it fairly easy.

Answer 2

Sessions in PHP (and every other web platform I know) work this way:

• Client makes first request / sends login data
• PHP creates session for client, a random session ID is generated
• PHP script marks that session as "logged in"
• PHP sends generated session ID to client (usually through a cookie)
• Client makes subsequent requests and always sends along the session ID
• PHP recognizes the client by the session ID and loads session data

If your client makes a request without sending the session ID some way, it will always be "not logged in" - the session ID is what makes the PHP script "remember" its state.

If your WebApp library doesn't handle session cookies (I'm not familiar with vb.net programming and libraries), look for a library that can, or - maybe easier - have the PHP script print out the session ID on successful login. Catch that printout in your app, and add the following GET parameter:

?PHPSESSID=123456

(123456 being your session ID) to every subsequent request you make from your app to PHP. That way, PHP should be able to recognize the correct session.

As I said, I'm not familiar with VB.NET so there may be more elegant, ready-made solutions for this. But this is definitely going to work if there are none.

Answer 3

To have your PHP website recognize the VB.NET client as a logged on user you need to send a cookie. When you use session_start() in PHP, PHP will set a random ID in the visitors cookie to link the session with. What you need to know is what this ID is. More specifically, on your first request to the website, you should read this out.

In your other question I saw you are using a WebClient instance. If you sent a request, there is also a property called ResponseHeaders. This is a collection that contains the response headers from the webserver (in this case the webserver that's running your site). This will likely contain a cookie code too.

For example:

Dim myWebClient As New WebClient

Dim responseArray = myWebClient.UploadData("http://...", "POST", Encoding.ASCII.GetBytes(postData))
Dim MyCookie As String = cl.ResponseHeaders.Item(HttpResponseHeader.SetCookie)

myWebClient.Headers.Add(HttpRequestHeader.Cookie, MyCookie)

You have to process the responseArray in this example, but this is the basic principle for storing a cookie and sending it back. The next request you send out with the same instance of this WebClient will contain the cookie your site responded with the last request. Basically it means, the SessionID that the PHP site creates will be membered and send back.

Personally I would write a little wrapper class around this. Just make a function that sends out a login request to your specific site. Then store the cookie, and every request you will send later you add this cookie to it. You could easily write a 'generic' method like string GetPage(string URL); string PostPage(string URL, string PostData) etc.

Answer 4

Get your desktop app to read in the headers which are sent by the php script before the actual page content.

One of these headers will be the cookie data, you need to store this because you need to send this every time you request a page from the php script.

So, you need to find out how to read headers from a response and write headers for a request.

If this is to hard for you then you can pass data via the url GET parameters, like: http://example.com/?loginid=12345