How can a session id be sent and got in Windows Phone 8.1?

Question

I'm running php server with this file, which detects if the username and passwords posted are correct:

    <?php

include 'MySQL.php';


$USERS = array();

$results = mysqli_query(connect(),"SELECT * FROM User");
while ($row = mysqli_fetch_array($results)) {
    $USERS[$row['username']] = $row['password'];
}

function check_logged() {
    global $_SESSION, $USERS;
    if (!array_key_exists($_SESSION["logged"], $USERS)) {
        header("Location: login.php");
    };
};

function check_user(){
    global $_SESSION, $USERS;
    if (!array_key_exists($_SESSION["logged"], $USERS)) {
        return false;
    }else{
        return true;
    }
}

For each protected page I put this lines of code:

    <?php
session_start();
include ("../php/passwords.php");

If I don't want to post each time, username and password between a Windows Phone 8.1 application, how can I share the sessionID in the client application ? Right now the server is running in HTTP, in the early future, I will ad the HTTPS/SSL service, to protect better the data send.

So my question is, how can handle and retrive the session, and send it to the server, when I want to access the protect service ? The username and password are in the WP settings.

Answer 1

First of all in your PHP code why don't you use the check_user() inside the check_logged() ? and if the file you include to access those functions uses sessions, why the session_start() not inside it (instead og writing it each time you include that file)

For your question you simply use "Hash" the application will save it. And when you want to identify the account you check what account has this hash in the table. When you generate it make it really long and lota of letters, numbers and symbol. So it would be impossible to guess one. And of course it has to be unique.

Edit: BTW, why you select all the users if you probably only gonna verify one of them ? I'm on the phone, otherwise I was adding some code ..

Edit: Let's try by theory again, I'll add some code if you still won't understand what I'm talking about which is completly ok because you new to this. The idea behinds the hash is for example to use the username and generate with some SALT (which is a random hash that you need to store and re-use every time you want to generate the hash and compare it with the database.) The idea is to know the user logged in, when a user logging in you generate a unique hash. And save it in the accounts table. And then save that hash on the client side. When a client want to access you simply take from the client the hash and you can know he is the user the hash stored at. So you log him in. Make sure the hash is long enough and secure enough.