Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Why are AppleID and SessionID the same?

I have 2 iPads using the same AppleID and logging into the same php website on the same cellular network. When one person logs in it works correctly. When a second person logs in, then both iPad reflect the second person that logged in. I have checked and they are sharing one session ID.


I then went on to trouble shoot the problem. This is happening on both wifi and on a cellular with two particular iPads sharing an AppleID. When I had my client add another iOS device (iPhone) into the mix that had a different apple id, it reflected a different session ID.


How can a session ID be shared between machines? Do iOS devices sharing an apple ID also share PHP session ID's?


Here is the login code:


<?php session_start();    if( isset( $_POST['login'])&&!isset($_SESSION['loggedin'])){        $user = $_POST['user'];        $number = $_POST['number'];        $sql ="SELECT `id`,`user`, `number` FROM `users` WHERE `user` = '$user' AND `number` = '$number'";        $result = mysql_query($sql, $connection)ordie("Something is wrong with your SQL statement.");        if(mysql_num_rows($result)==1){            $row = mysql_fetch_assoc($result);            if($row){                $_SESSION['loggedin']=1;                $_SESSION['loggedinuser']= $row['user'];                $_SESSION['number']= $row['number'];            }        }else{            echo "Wrong Username or Password";        }    }

iPad

Posted on Jul 29, 2013 9:01 AM

Reply
5 replies

Jul 29, 2013 9:26 AM in response to afemath

I'm sure there is something wrong with your server code. You need to rewrite it anyway. You are using an ancient MySQL interface and your code is trivially easy to exploit with SQL injection. Is "number" the password? That's not good.


I used to recommend the Zend framework but the new version is awful. You want to use MySQLi or PDO_MySQL.

Jul 31, 2013 1:09 PM in response to etresoft

I understand that I am using an old version if interacting with the sql database, but for my purposes on this particular project, what I have setup should work fine.


I am really interested in how two ipads could be sharing a session id. How is it even possible? I am not having this problem with any other devices or computers. It is just these two iPads. Is there something that could cause this? Does anyone have an idea?

Jul 31, 2013 3:08 PM in response to afemath

afemath wrote:


I understand that I am using an old version if interacting with the sql database, but for my purposes on this particular project, what I have setup should work fine.


It is called SQL injection. What happens if I log in to your website with the following POST variables?

user = ' OR (number = '

number = ') OR number = '


Then your SQL is this:

SELECT `id`,`user`, `number` FROM `users` WHERE `user` =' OR (number = '' AND `number` = '') OR number = ''


Now I can log in as anybody I want. SQL is not my strong suit. That is why I stick to modern interfaces that handle this problems for me.


I am really interested in how two ipads could be sharing a session id. How is it even possible? I am not having this problem with any other devices or computers. It is just these two iPads. Is there something that could cause this? Does anyone have an idea?


It is a bug in your server code. The server owns the session variables. A client only has the session ID that the server sends it. If two of your iPads share the same session ID, it is because your server sent it to both.


<Email Edited by Host>

Why are AppleID and SessionID the same?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.