I am using phonegap and I want to provide a version of my app as follows:
I'm running a https service. I login using an ajax function and retrieve the phpsession to the frontend (in phonegap).
I confirm that the login works because I receive the php session string. I then redirect the user to another phonegap page where I display my website via
<iframe style="width:100%; height:100%" src="my_website" />
However, the php session fetched via ajax is not started in the iframe and I need it to be. How can I do this so that the iframe starts with the same php session?
Thank you very much for your help.
First, understand the dangers of exposing session values in this way (https mitigates hijacking but not when the attack vector is XSS).
Then, either...
Drop the session id into a cookie when the AJAX request lands,
or append it to the URL used to retrieve the iframe content and enable transid in the config or add some PHP code to parse it yourself, e.g.
<?php
if (isset($_GET[session_name()]) && 10<strlen($_GET[session_name()))) {
session_id($_GET[session_name()]);
}
session_start();
...