-1

Its an AJAX login script

HTML: 

<form class="ajax-submit" method="POST" action="https://example.com/api/accounts">
     <div class="form-group">
           <input type="text" class="form-control" name="uname" placeholder="Username or Email" value="">
     </div>
     <div class="form-group">
           <input type="password" class="form-control" name="password" placeholder="Password" value="">
     </div>
     <div class="form-group">
           <button class="btn btn-primary btn-block" type="submit">
                                Login
           </button>
     </div>
</form>

Nothing interesting here really, its just a form that gets submitted over AJAX.
This is the action file (https://example.com/api/accounts):

if($DB->AuthUser($email, $password)){
   $success = true;
}else{
   $success = false;
}

if($success){
   $json->success = true;
   $json->redirect = "https://example.com/?in-development";
}else{
   $json->success = false;
   $json->messages->password = "Wrong email or password";
}

As you can see, the session data is set in the DB class ($DB->AuthUser function) which is a third file (don't know if this can cause something). 

public function AuthUser($field, $password)
{
    session_start();
    $stmt = $this->conn->prepare("SELECT * FROM user_profiles WHERE (`email` = ? OR `username` = ?) LIMIT 1"); 
    $stmt->execute(array($field, $field)); 
    $row = $stmt->fetch();
    if(empty($row))
    {
        return false;
    }

    if(password_verify($password, $row['password'])){
        //set session data
        $_SESSION['user'] = $row;
        return true;
    }else{
        return false;
    }
}

Here is the JS:

var formData = new FormData(this);
    $.ajax({
        url: $(this).attr('action'), 
        type: 'POST',
        data: formData, 
        cache: false,
        processData: false,
        contentType: false,
        dataType: 'json',
        success: (function( data ) { ... }

Everything works, except session data not saving over the request (it does save without the AJAX request, but I don't want to drop it)

Funk Forty Niner
  • 73,764
  • 15
  • 63
  • 131
Dankest Memes
  • 7
  • 2
  • You need to send the PHPSESSID cookie with your XHR requests. This is generally why people opt for using client side authorization tokens like JWT. This is probably a duplicate of at least 10 posts, [php session not working with ajax](https://stackoverflow.com/questions/48697597/php-session-not-working-with-ajax) – Alex Barker Dec 20 '19 at 23:43
  • 1
    @AlexBarker - There's no need to manually send any session cookies (or any cookies) in ajax requests. The browsers already handles that. An ajax request is just like any other request the browser does (like writing an URL in the address bar, clicking on a link, posting a form) but it does it asynchronously in the background. – Magnus Eriksson Dec 20 '19 at 23:49
  • 1
    @AlexBarker, xmlhttp requests always send 'withCredidentials' to true for same domain requests. calling session_start already sends the "set-cookie" header. – ibrahim tanyalcin Dec 20 '19 at 23:49
  • Oh my god, I was searching for the problem for like 1-2 hours and just submitted a new one. I solved it, thanks for your time :) Edit: It's a cross-domain problem – Dankest Memes Dec 20 '19 at 23:50
  • @DankestMemes - What was the issue/solution? Don't leave us in suspense. – Magnus Eriksson Dec 20 '19 at 23:51
  • Basically, it determined the request location as a cross-domain and didn't send the PHPSESSID cookie back. (haven't tried if this is the cause, but I had some cases with cross-domain problems some days ago) – Dankest Memes Dec 20 '19 at 23:55
  • @MagnusEriksson Yeah, I confirmed it... The fix: add www on the form action link, instead of leaving it /example.com/ *facepalm* – Dankest Memes Dec 20 '19 at 23:58
  • Ah. Might be because of the redirect links? Depending on how the [cookies are set](https://stackoverflow.com/a/23086139/2453432), it can change things if you allow, for example, www and non www on the same site. – Magnus Eriksson Dec 20 '19 at 23:58
  • As I suspected. My previous comment an alternative solution to that specific issue. Always good to have alternatives :-) – Magnus Eriksson Dec 21 '19 at 00:00

1 Answers1

1

Fixed: So basically, I had a problem with the cross-domain policies (links with www and no www, were treated differently). Therefore, I was not getting the cookies back from the request. Simply editing the form action from "https://example.com/api/accounts" to "https://www.example.com/api/accounts" fixed the problem

Dankest Memes
  • 7
  • 2