0

so I have a self written php web service for an app.

Now I want to do the same with the web. But I struggle with the login.

I need to call 2 functions of the web service. One to get a login token another one to verify that and request a access token.

So I call them with javascript:

    <?php
        if(isset($_POST['email']) && isset($_POST['password']))
        {
?>
            <script>
                var xhttp = new XMLHttpRequest();
                xhttp.open("POST", "http://webservice.com/requestLoginToken", false);
                xhttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
                xhttp.send(<?php echo "'email=" . urlencode($_POST['email']) . "'"?>);
                if(xhttp.status == 401)
                    document.getElementById("message").innerHTML = xhttp.responseText;
                else 
                {
                    var loginToken = xhttp.responseText;
                    var pwHash = loginToken + <?php echo "'" . sha1($_POST['password']) . "'" ?>;
                    pwHash = sha1(pwHash);
                    xhttp = new XMLHttpRequest();
                    xhttp.open("POST", "http://webservice.com/authenticate", false);
                    xhttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
                    xhttp.send("loginToken=" + loginToken + "&publicHash=" + pwHash);
                    if(!xhttp.status == 200)
                        document.getElementById("message").innerHTML = xhttp.responseText;
                    else 
                    {
                       var accesstoken = xhttp.responseText;
                    }
                }
            </script>
    <?php
        }
    ?>

So now I have the access token. But how can I set this now as a session variable of $_SESSION?

Or what is the best way so save this access token during the stay?

I need this token whenever I call the API.

Improve this question
2
  • 1
    When you get the token, send it to your PHP code through an ajax call. However, take care about the way that you do it, because it can be a security risk if you do it in the wrong way. In the other side, if it is not strictly need in your application to do it with javascript, I suggest you to handle the whole login process with PHP, using curl for instance. Commented Jun 3, 2016 at 11:21
  • CURL was the trick I searched! Works now. Thanks! Commented Jun 3, 2016 at 12:58

1 Answer 1

Reset to default
1

Not a direct answer to your question, but you should definitely consider using a proper framework or library, even for something that small. Code Igniter as far I remember is easy to get started with.

For instance, that line: urlencode($_POST['email']) is a big security issue, allowing XSS attacks.

Now, back to your question. What you need is to set a session cookie, then the browser will take care of it for you. Setting a cookie from JS is considered a bad practice (as it prevents using HttpOnly cookies, a recommended security flag), the easiest would be that the server answering to the login AJAX call set a cookie on the response.
That cookie will be issued to any subsequent calls to the same server. Again, if you use a proper framework, all the authentication stuff will be handled for you.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Hey, thanks for your suggestions. Yeah, it would be much better to do so. I will do this in the next time.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.