Access PHP Session in Ionic app

ionic-v1
1

Hi,
I’m new to ionic. From last 2/3 weeks, I’m working on ionic to build a mobile app for our web application & currently in confusion at one step. Need some suggestion regarding the best way to solve this.

Our web application is built upon PHP & we are not using any kind of REST architecture in it. Since now, we are moving to the mobile app we are trying to refactor our codebase. So that, one base code will handle all both(mobile app/web app) kind of request.

In mobile app side, I’m using OAUTH(http://bshaffer.github.io/oauth2-server-php-docs/). It’s working fine. I can able to login/logout. But, I can’t able to manage my PHP SESSION data.

In the web application, I know after login PHP send a session id which get stored in browser cookie & in all subsequent HTTP call it gets attached by browser. But, in my mobile app I’m not getting that SESSION ID after login. So, I thought maybe this is the reason for which my mobile app is not getting the user’s SESSION data.

To resolve this, what I’ve done now…
After getting, authorization token & refresh token from OAUTH server, I include current PHP SESSION ID also in the data set & return back to the mobile app. Then, in all subsequent Http call I send that SESSION ID value to server side & by using the following code, I retrieve the user’s SESSION data.

session_id($_POST['session_id']);
session_start();
$UserData = $_SESSION['User'];

It’s working now. But, I really don’t know whether it’s a right way to do such things or not & mostly I’m concern with security issue associated with this. Can anyone guide me with this?

Regards

2

to be clear:
Sessions/cookies are something like an “old” way for authorization.

The token approach is a little bit newer and gets the main thing soon.
You do not need sessions or cookies for that.

Create an access- and refreshtoken after successful login (even in your webapp) --> if the accesstoken expires --> the frontend can get a new token pair over the refreshtoken.
The frontend can store these keys in localstorage (or if you want as a cookie or something else).

Every request sends the Authorization token and token type with the HTTP(S) header:

Authorization: Bearer XXXXXXXXX // Bearer = tokentype XXXXX = the token

You backend can check before processing the request --> is the user authorized and is it a valid authorization.

Thats it.

3

Yeah, you are right about “Session/Cookie” thing. But, our web app is running over a lot of old codes. But, that is working fine & also in production. Currently, we’ve also not that much time that we’ll change everything. We’ll do that one by one.

Anyway, what’s your thought about my approach? I mainly concern about security stuff. Am I doing right way or I can make it better by adding small tweaks rather than making a big changes.