-1

Its an AJAX login script

HTML: 

<form class="ajax-submit" method="POST" action="https://example.com/api/accounts">
     <div class="form-group">
           <input type="text" class="form-control" name="uname" placeholder="Username or Email" value="">
     </div>
     <div class="form-group">
           <input type="password" class="form-control" name="password" placeholder="Password" value="">
     </div>
     <div class="form-group">
           <button class="btn btn-primary btn-block" type="submit">
                                Login
           </button>
     </div>
</form>

Nothing interesting here really, its just a form that gets submitted over AJAX.
This is the action file (https://example.com/api/accounts):

if($DB->AuthUser($email, $password)){
   $success = true;
}else{
   $success = false;
}

if($success){
   $json->success = true;
   $json->redirect = "https://example.com/?in-development";
}else{
   $json->success = false;
   $json->messages->password = "Wrong email or password";
}

As you can see, the session data is set in the DB class ($DB->AuthUser function) which is a third file (don't know if this can cause something). 

public function AuthUser($field, $password)
{
    session_start();
    $stmt = $this->conn->prepare("SELECT * FROM user_profiles WHERE (`email` = ? OR `username` = ?) LIMIT 1"); 
    $stmt->execute(array($field, $field)); 
    $row = $stmt->fetch();
    if(empty($row))
    {
        return false;
    }

    if(password_verify($password, $row['password'])){
        //set session data
        $_SESSION['user'] = $row;
        return true;
    }else{
        return false;
    }
}

Here is the JS:

var formData = new FormData(this);
    $.ajax({
        url: $(this).attr('action'), 
        type: 'POST',
        data: formData, 
        cache: false,
        processData: false,
        contentType: false,
        dataType: 'json',
        success: (function( data ) { ... }

Everything works, except session data not saving over the request (it does save without the AJAX request, but I don't want to drop it)

Improve this question
9
  • You need to send the PHPSESSID cookie with your XHR requests. This is generally why people opt for using client side authorization tokens like JWT. This is probably a duplicate of at least 10 posts, php session not working with ajax Commented Dec 20, 2019 at 23:43
  • 1
    @AlexBarker - There's no need to manually send any session cookies (or any cookies) in ajax requests. The browsers already handles that. An ajax request is just like any other request the browser does (like writing an URL in the address bar, clicking on a link, posting a form) but it does it asynchronously in the background. Commented Dec 20, 2019 at 23:49
  • 1
    @AlexBarker, xmlhttp requests always send 'withCredidentials' to true for same domain requests. calling session_start already sends the "set-cookie" header. Commented Dec 20, 2019 at 23:49
  • Oh my god, I was searching for the problem for like 1-2 hours and just submitted a new one. I solved it, thanks for your time :) Edit: It's a cross-domain problem Commented Dec 20, 2019 at 23:50
  • @DankestMemes - What was the issue/solution? Don't leave us in suspense. Commented Dec 20, 2019 at 23:51

1 Answer 1

Reset to default
1

Fixed: So basically, I had a problem with the cross-domain policies (links with www and no www, were treated differently). Therefore, I was not getting the cookies back from the request. Simply editing the form action from "https://example.com/api/accounts" to "https://www.example.com/api/accounts" fixed the problem

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.