[SOLVED] My session ID keeps changing when my webhook receives updates from the telegram bot API

My session ID keeps changing when my webhook receives updates from the telegram bot API

I have a xampp local server (for testing my telegram bot with php) with ngrok that open my server to the internet. When i try to call my webhoook.php file on the ngrok url (and on the localhost) my session ID is always the same (as it should be). But when an user tries to send a message to my bot (triggering the webhook) the session id keeps changing every time, so it doesn't save the data! My ngrok server is using https and my xampp local server uses http. (i also tried to use https for xampp but the session id keeps changing regardless).

webhook.php

<?php
session_start();
require 'vendor/autoload.php';
require 'variables.php';

if(isset($_SESSION["statusNewAsta"]))
    $statusNewAsta = $_SESSION["statusNewAsta"];

$bot = new TelegramBot\Api\BotApi($apiToken);

$update = json_decode(file_get_contents('php://input'), true);
file_put_contents('log.txt', session_id(), FILE_APPEND);

echo session_id();

if(isset($update['message'])) {
    $message = $update['message'];
    $chatId = $message['chat']['id'];

    if (isset($message['text']))
        switch ($message['text'])
        {
            case '/start': commandStart($chatId); break;
            case '/newAsta': 
                if(in_array($chatId,$adminIds))
                    commandNewAsta($chatId); 
                else
                    $bot->sendMessage($chatId,'Non puoi eseguire questo comando!');
                break;
            default: 
                if(in_array($chatId,$adminIds))
                    if(isset($_SESSION["statusNewAsta"]))
                        switch ($stepCreatingAsta)
                        {
                            case "waiting_name": getNameNewAsta($chatId,$message['text']);
                        }
                break;
        }
}

i was saving the data i received from the webhook in a file for debugging, i tried to use that same method for checking live the session id after the webhook.php is called within a request and i can see that the session id keeps changing. When i try to access a variable the array is obviuosly empty.

I wanted my session id to remain the same through the webhook calls, and i wanted my user to send a name of an object that the bot has to remember, that's why i'm not using a database, cause the data is sent to the database after the user provides all the data. Also i want my bot to remember in witch state the request for creating a new object is (that's the data i want to remember with the session)

Solution

You simply cannot assume that the session will always be the same when writing code for a webhook.

The whole assumption is wrong. Sessions are associated with clients. As long as you are the client you see your sessions, but that cannot be case for your users.

In short: Do not use session information in a webhook.