Security Provider not retaining user ID

I’m working on a mobile app project that has got a login page. The login works successfully, but as soon as I try to get any details about the user in a separate Server Action using the identity that’s returned by the Security Provider, the identity is returned as ‘null’ so the query fails.

If I add the query to the same Server Action file as the login step, the Security Provider returns the correct identity and it works, but this isn’t very useful for keeping the rest of the app secure. It seems like the Security Provider is forgetting the identity as soon as the Server Action has completed, even though there are cookies being set.

I’ve followed the ‘Security and Login’ tutorials to set up the Server Actions, and the Security Providers are linked to the same Action File, so it should be working.

Does anybody know why this might be happening?


Hello can you please send the server action structure (a screenshot) for the separate action?
Did you secure the separate server action?

Thank you!

Hello! Here are the screenshots of the Server Actions from the new project that I created when I started having issues. Thanks again!

Can you send one more screenshot of the query in your second server action, more than likely the conditions tab of the query.

Edit: It does seem like in your second query the Security Restrict step is almost disabled, please click on it and also make sure you have chosen the provider from the dropdown of available providers.

Just a heads-up mobile app pages won’t support/run PHP so the Security Provider will not protect them. I assume these are .html pages you are working with? You will have to use a redirect for each group or use conditional regions to display your data. As of yet there is no way to use Security Provider in .html pages (a variant would be amazing to do just this). You can pass the sessions and cookies just fine though. Might have to make some tweaks to your content security policy for the pages…

1 Like


The Security Restrict step was disabled because the Security Provider was returning ‘null’ for the identity, which was resulting in the Server Action returning 401 status codes.

Here’s the screenshot of the query.

Thanks again.

hmm all looks correct to me, I have to assume then that Dave is on the right track as far as the App side, but he is far more advanced than I from that side, sadly im a little lost with the Mobile App side currently.

Or I should say that Android does not support PHP at this current time, thus the knock on effect is that we can’t develop in PHP for Android deployments. Everything on the back-end can run PHP but on the front end for now is .html…


Thank you for your response. The PHP is running on the backend. The issue seems to be with the PHPSESSID cookie not being sent in the request headers from the second server action. Have you come across this before?

We need to see the security provider settings to ascertain if you are requesting the correct session. This should be the same as the column you have used for the identity value in the security provider. Some use the id and others (myself included) do not, we use another column for this value, if you do the same then maybe you need to rename your session value to match it correctly? Also you have ticked the little chain icon to link the security provider?


What column are you using for your identity, id? If you are using a different value remember to select that value in your other query and not the id. That is my first thought…

It’s ‘user_id’ in both places… Yeah, both Security Providers are linked to the ‘testSecurity’ Action File.

1 Like

Silly thing really, have you cleaned out your browser cache and temporary files and tried again? Also if the server is caching maybe need to clear that too…

Yeah, the only place that it works is inside Wappler… I’m using WKWebView, and I thought that it might be related to that, but that wouldn’t affect the browser version, would it?

It might sound silly but make sure that you have the right target selected (localhost or remote) and upload all files. It might be that some files are not uploaded.

Thank you.

Yeah, I’ve been using FTP to check that my files are updating. Thanks again.

Hi @psweb, @Dave and @t11,

In case anyone has any issues with WKWebView storing and sending cookies in the future, here’s the solution: WKWebView, Form POST and Session Cookies

Thanks again for your help!