How can I share SESSION between front and backend PHP?

Question

I'm a bit new to loosely coupled methodologies, but I'm giving it a try. I have a PHP backend file that receives and responds to requests from the frontend. The problem is that the frontend is located at https://servername.com and the backend is http://localhost/backend.php

I want to check on the backend to make sure that a user I've validated is making the requests, but I haven't been able to figure out how to share sessions from front to backend. Basically, I want to know the userid of the operator making the requests so I can have the backend generate responses appropriately by access level.

I'm currently using curl to generate the request as such:

$ch= curl_init();
curl_setopt($ch,CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(['session_id'=>session_id()]));
curl_setopt($ch, CURLOPT_URL, 'http://localhost/backend.php');
$response = curl_exec($ch)

Etc. I close it, return and so on, but this never works. Every time I send the session id and try to restore it on the backend, the transfer times out.

Restoring isn't supposed to be hard according to everything I'm reading:

if ($_REQUEST['session_id'])
   session_id($_REQUEST['session_id']);
session_start();

But it fails. If I send no session id, the communication works, but I don't have session information on the backend. If I send the id, it times out every time.

NOTE: I have tried changing the CURL url to https://localhost and servername with HTTPS but then I get an error: requested domain name does not match the server's certificate. Trying servername without HTTPS gives the same timeout issue I started with.

Answer 1

The value of session_id() on the frontend is determined by the frontend. The session_id() on the backend is determined by the backend. These do not match.

Sending the session id of the frontend to the backend will not grant you access to the session of the user on the backend. You would need to know the backend's session id, which you can't extract on the frontend.

There are 2 solutions;

1. The easiest solution is to make sure the backend and frontend are on the same domain (so www.example.com and backend.example.com). You can set the cookie domain for the session cookie to .example.com , so both will use the same session id.

2. Alternatively, the client needs to send the backend's session id to the frontend via the browser. The Jasny SSO library does this.

Disclaimer; I'm the author of Jasny SSO.

Answer 2

In the end, the only thing I've been able to find that worked was to redirect PHP session calls to my DB instead. I used this guide: https://culttt.com/2013/02/04/how-to-save-php-sessions-to-a-database/

It explains that PHP's session class can be overridden so that it works exactly the same as normal, but on the backend, you're accessing your db instead. That way, all you have to do is send the session_id with each request to the backend and use session_id($the_id); on the backend before session_start() and both the front and backend will use the same session seamlessly (you can get and set variables back and forth as you would expect).

Absolutely every attempt I made to share cookies, pull up the same session, etc. failed miserably. Maybe it would work with remote servers, but I was only simulating a backend for front and backend separation on localhost.