How do I share PHP session between regular PHP/HTML pages and an angular page?

Question

I have written a web application mostly using HTML and PHP.

All (login required) pages of the website is controlled using PHP session, except one single SPA Angular page.

Users login using HTML and PHP, and a PHP session is created to authenticate the users.

When users click to go to the Angular page, I do not want to ask the users to login again,

so is there a way to securely share the existing PHP session with an angular page?

Thank you for your help.

Answer 1

I'm not sure if "sharing" a session is possible and even if it is, it's probably not recommended or standard practice. Generally you'll want to make your frontend make calls to your backend API. Thus, if a user went to your Angular page, you could make an API request to check if a user has been authenticated before showing the login page.

Hard telling you what a secure and minimal change option is for your particular app without more details but you should be able to use a secure server-side cookie that is sent with every API request from Angular or React (using axios you can use the withCredentials) to the API (it doesn't have to be an API, it could be a PHP page that is set up to handle the request) that contains a JWT (may be overly complex for your use-case) that can verify the user is authenticated. JWT data can be seen from the frontend so don't use it as a secure way to check for hidden or secret data but it is a way to validate verified data.

Even though it's convenient, I'd stay away from passing around passwords or password hashes especially in frontend accessible cookies (which are generally frowned upon anyway).

Answer 2

After login in PHP, you can store the credentials (username, password) encrypted in a cookie with sha1() for example.

In Angular you read that cookie, extract the username and the hashed password and check them via POST AJAX request (/check_credentials.php) before letting the user in the SPA.

If you have a token based security (the token expires after a period and it must be renewed) you can store the encrypted token in the cookie and not the hashed password which can be a vulnerability to XSS attacks (https://owasp.org/www-community/attacks/xss/) and check the token via AJAX from Angular.

Answer 3

You have to know, that the session cookie is unset if you leave the Browser.

So now you must save the information in long time cookies ... for example save the username and password in a persistent cookie ...

But notice you should encrypt the password and the username which are stored in the cookie.

BUT be aware - if somebody can set these cookies in f.e. an Browser Addon, which allows Cookies to set Manually - then it doesnt matter if you encrypt or not!