HTTPSocket.Post

Mike_Charlesworth · August 29, 2013, 5:24pm

I am using HTTPSocket.Post’s from a desktop app to get information via PHP from my web server running MySQL. All working fine.

I need to use a PHP session cookie and as I understand the PHP session is closed when the user closes their browser. I am not using a browser but rather my desktop app and have a module which uses the HTTPSocket.Post method to make requests to the server. It seems the session is not persisting between my HTTPSocket.Post calls. Is this because the session is closed between each call because my module Dim’s a new HTTPSocket on every call? (i.e. effectively appearing that the browser is closed and then re-opened)

Should I create a global HTTPSocket property when my app is opened and leave it open until the app is closed to keep the session open?

Tim_Hare · August 29, 2013, 5:44pm

I don’t believe HTTPSocket supports sessions at all.

Mike_Charlesworth · August 29, 2013, 5:51pm

My PHP is starting the session when I make a call to a particular page with my HTTPSocket. Problem is when I make another call to another page with the HTTPSocket and the page tries to retrieve a $_SESSION variable the variable is empty. I only want to echo the session variable back to the HTTPSocket.

Tim_Hare · August 29, 2013, 7:10pm

Right. I think sessions are http 1.1 thing. Xojo’s HTTPSocket implements http 1.0. You’ll have to get a session id from your php script and then send it back. Your script won’t be able to use the $_SESSION variable, but rather some other variable you supply in the subsequent request.

Mike_Charlesworth · August 29, 2013, 8:22pm

Thanks Tim. I went down that route and store the session id locally in my app. I can still use the $_SESSION variable in my script. All I am doing now is POSTing the session id back and setting it in the script before I call session_start(). Are there security risks with passing the session id back and forth? I am storing the user_id in my session cookie once they are logged on along with their username.

Tim_Hare · August 29, 2013, 8:26pm

As long as you’re using https:// you’re fine. Otherwise, there’s no security anywhere.

Mike_Charlesworth · August 29, 2013, 8:28pm

Yes, thought so. I’m not at the moment but i’m testing on a local server. Will be using secure socket when it goes live.

Mike_Charlesworth · August 29, 2013, 8:30pm

Tim, are you a bit of a wizz with PHP? I wonder if I could ask you a question regarding hashing passwords?

Tim_Hare · August 29, 2013, 9:00pm

I’m passable in PHP, but I lifted password hashing off the web. Here’s one place to look: https://defuse.ca/php-pbkdf2.htm

And look here for a full discussion: https://crackstation.net/hashing-security.htm

Mike_Charlesworth · August 29, 2013, 9:10pm

Ah, that was the code I was intending to use and the query I had. The output of the create_hash function is of the format algorithm:iterations:salt:hash

What is stored in your db, just the hash part?

Tim_Hare · August 29, 2013, 9:23pm

You store the whole thing. It’s useless without the original password.

Mike_Charlesworth · August 29, 2013, 9:25pm

Right, thanks. You recommend this method then? It was what I had found too after a lot of digging.

Tim_Hare · August 29, 2013, 9:28pm

Too many edits. Mike asked: is storing the algorithm and number of iterations a risk?

No more risky than storing the salt. The point is that it isn’t worth a hackers time to attack. It can be cracked, but it would take way too much time. And cracking one password doesn’t help with cracking any of the others.

Tim_Hare · August 29, 2013, 9:32pm

It’s secure enough for most applications.

Mike_Charlesworth · August 29, 2013, 10:02pm

Thanks a lot Tim…