Using a session with php and Java

Question

I'm currently trying to use the current session of a php web page from an applet. I tought it would be straightforward, but it didn't go as smooth as I tough. From the php man:

session_start() creates a session or resumes the current one based on a session
identifier passed via a GET or POST request, or passed via a cookie.

From there I did some php (simplified here):

// PAGE1.PHP
session_start();
$_SESSION['test'] = true;
echo "sid=" . session_id();

// PAGE2.PHP
session_start();
if ($_SESSION['test'])
    $echo "success";
else
    $echo "fail";

So, from my applet, I do a request to PAGE1.PHP and it returns me the session id. When I do a new request on the page 2, I pass the session id as a parameter and it seems that the session wasn't kept. I use

URL url = new URL("my/url/PAGE2.php?sid=" + session_id); 
URLConnection conn = url.openConnection();
conn.setDoOutput(true); 
OutputStreamWriter wr = new OutputStreamWriter(conn.getOutputStream()); 

wr.write(data); // data is the post data created previously
wr.flush(); 

// Get the response 
BufferedReader rd = new BufferedReader(
    new InputStreamReader(conn.getInputStream())); 
String line;
while ((line = rd.readLine()) != null) { 
    System.out.println(line);
}

I have tried via POST and GET method and it doesn't seem to work.

So I'm wondering if it's possible, and if yes, what do I miss?

thanks.

Answer 1

Your PAGE2.php is not actually using the sid param you're passing via _GET to initiate the session.

In page2.php, try:

session_id($_GET['sid']);
session_start(); 

instead of plain-old:

session_start();

Answer 2

Accepting session IDs as part of the GET is bad form, and bad idea security wise. I would suggest that you retrieve the session ID from the PHPSESSION cookie with something like:

Following java snippet was shamelessly copied from here – Have a look at that (although it is java 1.4 specific).

public String getCookie() {
  /*
  ** get all cookies for a document
  */
  try {
    JSObject myBrowser = (JSObject) JSObject.getWindow(this);
    JSObject myDocument =  (JSObject) myBrowser.getMember("document");
    String myCookie = (String)myDocument.getMember("cookie");
    if (myCookie.length() > 0) 
       return myCookie;
    }
  catch (Exception e){
    e.printStackTrace();
    }
  return "?";
  }

 public String getCookie(String name) {
   /*
   ** get a specific cookie by its name, parse the cookie.
   **    not used in this Applet but can be useful
   */
   String myCookie = getCookie();
   String search = name + "=";
   if (myCookie.length() > 0) {
      int offset = myCookie.indexOf(search);
      if (offset != -1) {
         offset += search.length();
         int end = myCookie.indexOf(";", offset);
         if (end == -1) end = myCookie.length();
         return myCookie.substring(offset,end);
         }
      else 
        System.out.println("Did not find cookie: "+name);
      }
    return "";
    }

Elsewhere in your code grab the session id using:

  getCookie("PHPSESSION"); // replace this with the cookie name in your /etc/php.ini

and set it in your applet.

 conn.setRequestProperty("Cookie", "PHPSESSION=value"); 

Far more current information is available at the sun java cookie page