I am using HTTPSocket.Post’s from a desktop app to get information via PHP from my web server running MySQL. All working fine.

I need to use a PHP session cookie and as I understand the PHP session is closed when the user closes their browser. I am not using a browser but rather my desktop app and have a module which uses the HTTPSocket.Post method to make requests to the server. It seems the session is not persisting between my HTTPSocket.Post calls. Is this because the session is closed between each call because my module Dim’s a new HTTPSocket on every call? (i.e. effectively appearing that the browser is closed and then re-opened)

Should I create a global HTTPSocket property when my app is opened and leave it open until the app is closed to keep the session open?

I don’t believe HTTPSocket supports sessions at all.

My PHP is starting the session when I make a call to a particular page with my HTTPSocket. Problem is when I make another call to another page with the HTTPSocket and the page tries to retrieve a $_SESSION variable the variable is empty. I only want to echo the session variable back to the HTTPSocket.

Right. I think sessions are http 1.1 thing. Xojo’s HTTPSocket implements http 1.0. You’ll have to get a session id from your php script and then send it back. Your script won’t be able to use the $_SESSION variable, but rather some other variable you supply in the subsequent request.

Thanks Tim. I went down that route and store the session id locally in my app. I can still use the $_SESSION variable in my script. All I am doing now is POSTing the session id back and setting it in the script before I call session_start(). Are there security risks with passing the session id back and forth? I am storing the user_id in my session cookie once they are logged on along with their username.

As long as you’re using https:// you’re fine. Otherwise, there’s no security anywhere.

Yes, thought so. I’m not at the moment but i’m testing on a local server. Will be using secure socket when it goes live.

Tim, are you a bit of a wizz with PHP? I wonder if I could ask you a question regarding hashing passwords?

I’m passable in PHP, but I lifted password hashing off the web. Here’s one place to look:

And look here for a full discussion:

Ah, that was the code I was intending to use and the query I had. The output of the create_hash function is of the format algorithm:iterations:salt:hash

What is stored in your db, just the hash part?

You store the whole thing. It’s useless without the original password.

Right, thanks. You recommend this method then? It was what I had found too after a lot of digging.

Too many edits. Mike asked: is storing the algorithm and number of iterations a risk?

No more risky than storing the salt. The point is that it isn’t worth a hackers time to attack. It can be cracked, but it would take way too much time. And cracking one password doesn’t help with cracking any of the others.

It’s secure enough for most applications.

Thanks a lot Tim…