I've been tumbling around for a while on the HTTP set-cookie topic but I'm not making any progress. My situation goes as follows:
My API is hosted on api.mysite.com and I have an admin dashboard on admin.mysite.com. I make a POST request from admin.mysite.com to api.mysite.com/login to verify credentials and it returns the session cookie. The cookie configuration is:
session_set_cookie_params([
'lifetime' => 36000,
'path' => '/',
'domain' => '.mysite.com.co',
'secure' => 1,
'httponly' => 0,
'samesite' => 'None'
]);
The response seems okay:
HTTP/1.1 200 OK
Date: Thu, 04 Nov 2021 16:22:57 GMT
Server: Apache/2.4.41 (Ubuntu)
Strict-Transport-Security: max-age=63072000
Access-Control-Allow-Origin: https://admin.mysite.com
Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, accept, authorization, client-security-token, Cache-Control, X-Mashape-Authorization
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Expose-Headers: Content-Security-Policy, Location
Access-Control-Max-Age: 1000
Upgrade: h2
Connection: Upgrade, Keep-Alive
Set-Cookie: PHPSESSID=hash; expires=Fri, 05-Nov-2021 02:22:57 GMT; Max-Age=36000; path=/; domain=.mysite.com; secure; SameSite=None
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Access-Control-Allow-Credentials: true
Content-Length: 549
Keep-Alive: timeout=5, max=100
Content-Type: text/html; charset=UTF-8
But the cookie is not stored. However, it is stored if I make the request from api.mysite.com/testCookies to api.mysite.com/login so it seems to be a domain/site problem (maybe CORS?)
I will appreciate any guidance on this topic.
Same answer as here. The keypoint is the usage of withCredentials property. Not sure though, why do I have to send them even if the cookies are originated on subdomain A and set on subdomain B.
Related
The CORS scheme is:
AJAX Call from: https://remotewebsite.com/
GET Request to http://localhost/?param=ThisIsImportant
I am using localhost because it still in development.
Request URL: http://localhost/?param=ThisIsImportant
Request Method: GET
Status Code: 200 OK
Remote Address: [::1]:80
Referrer Policy: strict-origin-when-cross-origin
Response Headers
Access-Control-Allow-Origin: *
Cache-Control: no-store, no-cache, must-revalidate
Connection: Keep-Alive
Content-Length: 226
Content-Type: text/html; charset=UTF-8
Date: Mon, 27 Sep 2021 20:18:08 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=5, max=100
Pragma: no-cache
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
Set-Cookie: PHPSESSID=00fg461kl112lctp7ooqr5mder; path=/
X-Powered-By: PHP/8.0.8
PHP Pseudo-code
session_start();
$_SESSION['hash'] = $_GET['param'];
If I enter in http://localhost and visit a script with:
session_start();
print_r($_SESSION);
Session is empty. If I check cookies in developer tools, PHPSESSID is different from the one on AJAX response.
I need set the PHPSESSID during AJAX response and kept, and be able to retrieve the SESSION['hash'] set on PHP during that AJAX request. Including in another scripts on localhost. Is that possible?
Found that the $.ajax request should contain
withCredentials: true
crossDomain: true
on server-side, the script need:
header('Access-Control-Allow-Credentials: true');
session_set_cookie_params(["SameSite" => "none"]); //none, lax, strict
session_set_cookie_params(["Secure" => "true"]); //false, true
session_set_cookie_params(["HttpOnly" => "true"]); //false, true
that's it.
I have dynamic website which is send request to server per 50second if user use chat it will be per 1 second but sometime php return text like below ?
HTTP/1.1 200 OK
Date: Wed, 23 Nov 2016 03:04:36 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: d=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: s=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Vary: Origin
Keep-Alive: timeout=5, max=74
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
2
[]
My php part only get datas from mysqli and use echo json_encode();In the example as you see it returned json like [] but it also return HTTP/1.1 200 OK ... like things.What is the problem?is that about host,server problem,hosting, or reason is I send so much request?
You can specify the Content-Type of your response adding in php, before the json_encode call:
header('Content-Type: application/json');
In this way you are sure the response is sent by php as application/json
So here is the issue, Magento doesn't seem to set-cookie on product/category page.
It doesn't show any cart items or customer login information on product page, however all the items appear fine on home page and rest of the pages on site.
I checked headers for two of the pages.
Here is the product page:
HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Tue, 15 Mar 2016 05:01:57 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
X-Cacheable: NO:Cache-Control=no-cache
Accept-Ranges: bytes
X-Served-From-Cache: Yes
Here is the home page headers (which is working fine)
HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Tue, 15 Mar 2016 05:02:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Set-Cookie: frontend=n7m2mbnoo861h84r9ma40of221; expires=Wed, 16-Mar-2016 05:02:12 GMT; path=/store/; domain=-----; HttpOnly
Vary: Accept-Encoding
X-Cacheable: NO:Cache-Control=no-cache
Accept-Ranges: bytes
X-Served-From-Cache: Yes
Any idea what's happening?
I have tried increasing cookie lifetime to 86400
and cookie path to /store/ and cookie domain to (www.mydomain.com)
It turns out issue was misconfiguration of varnish on server. It was serving cached pages. Solution: Restarted varnish.
I am trying to load data into a jQuery dialog via ajax but the request is failing in Firefox (34.0.5). Works fine and I get no complaints in Chrome and Safari.
My apache conf contains:
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods: "PUT, GET, POST, DELETE, OPTIONS"
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept"
The jQuery is simply:
$('#dialog').load('example.php', function() { $('#dialog').dialog('open'); });
Firefox responds with the following console error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://www.example.com/example.php. This can be fixed by moving the resource to the same domain or enabling CORS.
Inspecting the response headers from the ajax request they all seem to be intact and inline with what's declared in apache. Should I be including some other directive or changing the configuration in some way for this to work?
UPDATE: At the root of the issue is the fact that I'd like both example.com and www.example.com to function the same. The site in question always has a tag in the header <base href="www.example.com" /> in both instances as this is part of the default site framework. I've since discovered that removing this link allows the ajax request to work on example.com, even when it still specifically calls a resource from the www subdomain.
Interestingly, many aspects of the request and response headers change when this tag is removed. For anyone who might have a clue about the implications here I'm pasting both the request and response headers below.
Here are the headers with <base> tag removed. In this case the ajax call was successful:
RESPONSE
HTTP/1.1 200 OK
Date: Sun, 18 Jan 2015 22:11:04 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.5
Set-Cookie: PHPSESSID=xxx; path=/; HttpOnly
language=en; expires=Tue, 17-Feb-2015 22:11:04 GMT; Max-Age=2592000; path=/; domain=www.example.com
currency=CAD; expires=Tue, 17-Feb-2015 22:11:04 GMT; Max-Age=2592000; path=/; domain=www.example.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, public
Pragma: no-cache
Content-Encoding: gzip
access-control-allow-methods: PUT, GET, POST, DELETE, OPTIONS
access-control-allow-origin: *
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept
Content-Length: 1515
Connection: close
Content-Type: text/html; charset=utf-8
REQUEST
GET /example.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:34.0) Gecko/20100101 Firefox/34.0 FirePHP/0.7.4
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://example.com/
Origin: http://example.com
x-insight: activate
Connection: keep-alive
Cache-Control: max-age=0
And here are the headers with the <base> tag intact. These headers reflect the scenario where the ajax call failed. It's worth noting that the 'Location' field in the response header says 'https' even though this was not happening over an https connection:
RESPONSE
HTTP/1.1 302 Found
Date: Sun, 18 Jan 2015 22:12:26 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.5
Set-Cookie: PHPSESSID=xxx; path=/; HttpOnly
language=en; expires=Tue, 17-Feb-2015 22:12:26 GMT; Max-Age=2592000; path=/; domain=www.example.com
currency=CAD; expires=Tue, 17-Feb-2015 22:12:26 GMT; Max-Age=2592000; path=/; domain=www.example.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, public
Pragma: no-cache
Status: 302
Location: https://www.example.com/index.php
access-control-allow-methods: PUT, GET, POST, DELETE, OPTIONS
access-control-allow-origin: *
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept
Content-Length: 0
Connection: close
Content-Type: text/html
REQUEST
OPTIONS /example.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:34.0) Gecko/20100101 Firefox/34.0 FirePHP/0.7.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: http://example.com
Access-Control-Request-Method: GET
Access-Control-Request-Headers: x-requested-with
x-insight: activate
Connection: keep-alive
Cache-Control: max-age=0
According to MDN, you can't use the wildcard for "credentialed requests", so maybe your request falls in that category.
I can not get my php to set a value in the SOAP Header.
my code is
$requestParams = 'Parameters I am passing into the WS'
$client = new SoapClient('https://webservice.wsdl',array(
'login' => "user",
'password' => "password",
'trace' => 1,
'sessionID' => "93b23bb6e611db8548f2ee9485bc7d17"));
$client->submitRequest($requestParams);
process returned code and it does return what I expect
then
$client->release();
which should release this sessionID
The Web service I am calling uses a sessionID variable and if one is not passed it will create one for you but you can only have 5 unique sessions created before it locks you out for 5 min.
If you open a session you can reuse it as long as you free a session off and don't have more than five open.
My problem is that everything works but the web service does not see my sessionID variable because every time I make a call it issues me a new sessionID. So it created 5 new sessionID's and I have no way of freeing them off when completed and I have to wait till they timeout on the server.
Web Service Call #1 string(414) "HTTP/1.1 200 OK Date: Fri, 01 Aug
2014 20:56:32 GMT Server: Apache Set-Cookie:
PHPSESSID=ee6d8e3f9e6e1b9dac35e10f917a69c8; path=/ Expires: Thu, 19
Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache,
must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
Set-Cookie: PHPSESSID=ee6d8e3f9e6e1b9dac35e10f917a69c8; path=/
Content-Length: 560 Connection: close Content-Type: text/xml;
charset=utf-8 "
Web Service Call #2 string(414) "HTTP/1.1 200 OK Date: Fri, 01 Aug
2014 20:57:18 GMT Server: Apache Set-Cookie:
PHPSESSID=46d99f3b92d095981119b7050686967c; path=/ Expires: Thu, 19
Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache,
must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
Set-Cookie: PHPSESSID=46d99f3b92d095981119b7050686967c; path=/
Content-Length: 560 Connection: close Content-Type: text/xml;
charset=utf-8 "
And So on Till I get
A connection refused and I have to wait. If the session ID was passed in the SOAP HEADER from the code above the response would look like.
string(414) "HTTP/1.1 200 OK Date: Fri, 01 Aug 2014 20:58:18 GMT
Server: Apache Set-Cookie: PHPSESSID=93b23bb6e611db8548f2ee9485bc7d17;
path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store,
no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
Set-Cookie: PHPSESSID=93b23bb6e611db8548f2ee9485bc7d17; path=/
Content-Length: 560 Connection: close Content-Type: text/xml;
charset=utf-8 "
You need to use the _cookies and the __setCookie methods on the SoapClient class to get and set the Session ID for use during SOAP calls.
Your code would look like this:
$requestParams = 'Parameters I am passing into the WS'
$sessionId = "93b23bb6e611db8548f2ee9485bc7d17";
$client = new SoapClient('https://webservice.wsdl',array(
'login' => "user",
'password' => "password",
'trace' => 1));
$client->__setCookie('PHPSESSID', $sessionId);
// ... your requests
If you are making the calls in separate stateless runs of the script, then you also would need to setup some method of persistence to make the Session ID persist between uses.