The CORS scheme is:
AJAX Call from: https://remotewebsite.com/
GET Request to http://localhost/?param=ThisIsImportant
I am using localhost because it still in development.
Request URL: http://localhost/?param=ThisIsImportant
Request Method: GET
Status Code: 200 OK
Remote Address: [::1]:80
Referrer Policy: strict-origin-when-cross-origin
Response Headers
Access-Control-Allow-Origin: *
Cache-Control: no-store, no-cache, must-revalidate
Connection: Keep-Alive
Content-Length: 226
Content-Type: text/html; charset=UTF-8
Date: Mon, 27 Sep 2021 20:18:08 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=5, max=100
Pragma: no-cache
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
Set-Cookie: PHPSESSID=00fg461kl112lctp7ooqr5mder; path=/
X-Powered-By: PHP/8.0.8
PHP Pseudo-code
session_start();
$_SESSION['hash'] = $_GET['param'];
If I enter in http://localhost and visit a script with:
session_start();
print_r($_SESSION);
Session is empty. If I check cookies in developer tools, PHPSESSID is different from the one on AJAX response.
I need set the PHPSESSID during AJAX response and kept, and be able to retrieve the SESSION['hash'] set on PHP during that AJAX request. Including in another scripts on localhost. Is that possible?
Found that the $.ajax request should contain
withCredentials: true
crossDomain: true
on server-side, the script need:
header('Access-Control-Allow-Credentials: true');
session_set_cookie_params(["SameSite" => "none"]); //none, lax, strict
session_set_cookie_params(["Secure" => "true"]); //false, true
session_set_cookie_params(["HttpOnly" => "true"]); //false, true
that's it.
Related
I've been tumbling around for a while on the HTTP set-cookie topic but I'm not making any progress. My situation goes as follows:
My API is hosted on api.mysite.com and I have an admin dashboard on admin.mysite.com. I make a POST request from admin.mysite.com to api.mysite.com/login to verify credentials and it returns the session cookie. The cookie configuration is:
session_set_cookie_params([
'lifetime' => 36000,
'path' => '/',
'domain' => '.mysite.com.co',
'secure' => 1,
'httponly' => 0,
'samesite' => 'None'
]);
The response seems okay:
HTTP/1.1 200 OK
Date: Thu, 04 Nov 2021 16:22:57 GMT
Server: Apache/2.4.41 (Ubuntu)
Strict-Transport-Security: max-age=63072000
Access-Control-Allow-Origin: https://admin.mysite.com
Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, accept, authorization, client-security-token, Cache-Control, X-Mashape-Authorization
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Expose-Headers: Content-Security-Policy, Location
Access-Control-Max-Age: 1000
Upgrade: h2
Connection: Upgrade, Keep-Alive
Set-Cookie: PHPSESSID=hash; expires=Fri, 05-Nov-2021 02:22:57 GMT; Max-Age=36000; path=/; domain=.mysite.com; secure; SameSite=None
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Access-Control-Allow-Credentials: true
Content-Length: 549
Keep-Alive: timeout=5, max=100
Content-Type: text/html; charset=UTF-8
But the cookie is not stored. However, it is stored if I make the request from api.mysite.com/testCookies to api.mysite.com/login so it seems to be a domain/site problem (maybe CORS?)
I will appreciate any guidance on this topic.
Same answer as here. The keypoint is the usage of withCredentials property. Not sure though, why do I have to send them even if the cookies are originated on subdomain A and set on subdomain B.
I am working on project based on inserting events in icalendar(iPhone) through CALDAV protocol using PHP language
In localhost the code is working fine.. when adding the same code to server using some functions, received unknown HTTP status..
I tried using dataType:"text/plain" and also I tried contentType, still not fixed.. I removed ajax function.. directly link to file.. still its showing ame error.. sometimes its shows HTTP/1.1 500 Internal Server Error and http/1.1 415 unsupported media type
last request:
PUT /rpc/calendars/mediaj11/calendar~722ea7444446*******/.ics HTTP/1.1
Host: mail.mediajenie.com:2080
Authorization: Basic **********
User-Agent: cURL based CalDAV client
Accept: */*
Content-type: text/calendar; encoding="utf-8"
Depth: 1
Content-Length: 556
last response:
HTTP/1.1 500 Internal Server Error
Date: Fri, 28 Jun 2019 10:10:48 GMT
Server: cPanel
Persistent-Auth: false
Host: mail.mediajenie.com:2080
Cache-Control: no-cache, no-store, must-revalidate, private
Connection: Keep-Alive
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 3011
Content-Type: text/html; charset=UTF-8
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Set-Cookie: PHPSESSID=5e8045144d7823ac82049d0c7ad40247; path=/
Set-Cookie: horde_secret_key=5e8045144d7823ac82049d0c7ad40247; path=/; domain=mail.mediajenie.com; HttpOnly
Set-Cookie: default_horde_view=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=mail.mediajenie.com
X-Powered-By: PHP/7.2.7
So I've got a server to server application. The PHP script on server 1, domain 1 sets a custom header in the page (Authorization: Bearer 123456789). The script on server 2, domain 2 uses get_headers() to read the headers.
It all works fine when the files are served natively. But when the script on server 1 is included in a Joomla module get_headers() doesn't retrieve the custom header.
In both cases, developer tools shows the custom header but also some different headers than returned by get_headers().
The code below uses JFactory to set the headers if Joomla is loaded but it is the same result using header(). Joomla just isn't passing the custom header.
I don't get it. Anyone have any idea what is going on here? Its not a SEF or htaccess issue.
<?php
// Server 1
if(!class_exists("JFactory")){ // no Joomla
header('Authorization: Bearer 123456789');
} else { // Joomla framework loaded
$app = JFactory::getApplication();
$app->setHeader('Authorization: ', 'Bearer 123456789');
$app->sendHeaders();
}
The code on server 2:
<?php
// Server 2
$headers = get_headers("http://server1.com/");
foreach($headers as $header) {
echo $header ."<br/>";
}
Output from get_headers() when served natively:
HTTP/1.1 200 OK
Date: Thu, 19 Jan 2017 12:44:35 GMT
Server: Apache
Authorization: Bearer 123456789
Content-Length: 0
Connection: close
Content-Type: text/html
Output from get_headers() when served by Joomla:
HTTP/1.1 200 OK
Date: Thu, 19 Jan 2017 12:45:49 GMT
Server: Apache
Set-Cookie: 3c460b3da9ecb202e794816b4144c6ff=ja7mn4b4njov98lsv76kk8pvu2; path=/; HttpOnly
Vary: Accept-Encoding
Content-Length: 1264
Connection: close
Content-Type: text/html
Native headers displayed by developer tools:
Authorization: Bearer 123456789
Date: Thu, 19 Jan 2017 13:07:32 GMT
Server: Apache
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
Content-Length: 0
Content-Type: text/html
200 OK
Joomla headers displayed by developer tools:
Pragma: no-cache
Date: Thu, 19 Jan 2017 12:19:24 GMT
Last-Modified: Thu, 19 Jan 2017 12:19:25 GMT
Server: Apache
Authorization: : Bearer 123456789
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
Content-Length: 76888
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Remove double dot from setheader call :
$app = JFactory::getApplication();
$app->setHeader('Authorization', 'Bearer 123456789');
$app->sendHeaders();
Thanks for the suggestion Yoleth. I tested this and got the same result.
However I have found the problem. The Joomla site setting the header is using a component called Site Lock. This is similar to putting the site off line but has some nice features for developers.
Basically Site Lock was preventing the page being served and just returning the headers from the lock page (as it should). I don't know why I didn't see it earlier. Sometimes just can't see the forest for the trees!
I use symfony2 and create a web service :
$response = new JsonResponse();
$response->setData(array(
'dt' => time()
));
return $response;
The response have this header
HTTP/1.1 200 OK
Date: Tue, 23 Dec 2014 10:23:06 GMT
Server: Apache/2.4.9 (Win64) PHP/5.5.12
X-Powered-By: PHP/5.5.12
Cache-Control: no-cache
X-Debug-Token: 27ccd9
X-Debug-Token-Link: /capteur/web/app_dev.php/_profiler/27ccd9
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/json
However the electronical device who call this webservice need a smaller header like this :
HTTP/1.1 200 OK
{"dt":1418812347}
How could I accomplish this with symfony2 ?
Symfony always add a lot of things in the header ...
Thanks !
EDIT
In production mode some header are disabled.
Whith some .htaccess rules :
<IfModule mod_headers.c>
Header unset X-Powered-By
Header unset Keep-Alive
Header unset Content-Length
Header unset Server
Header unset ETag
Header unset Cache-Control
Header unset Last-Modified
Header unset Date
Header unset Accept-Ranges
Header unset Connection
Header unset Content-Type
</IfModule>
some header are still here :
Cache-Control:no-cache
Connection:Keep-Alive
Content-Type:application/json
Date:Wed, 31 Dec 2014 13:48:20 GMT
Keep-Alive:timeout=5, max=100
Server:Apache
Transfer-Encoding:chunked
After a lot of try, I think it's the smallest header available under apache server.
In my current application the PHPSESSID Cookie gets send multiple times. Here's a sample response:
HTTP/1.1 200 OK
Date: Tue, 11 Jun 2013 08:18:29 GMT
Server: Apache/2.2.17 (Ubuntu)
X-Powered-By: PHP/5.3.15-1~dotdeb.0
Set-Cookie: ZDEDebuggerPresent=php,phtml,php3; path=/ PHPSESSID=625qvi6328pdq2t7psh4t3voi6; path=/ PHPSESSID=625qvi6328pdq2t7psh4t3voi6; path=/ PHPSESSID=625qvi6328pdq2t7psh4t3voi6; path=/
Cache-Control: no-cache
x-debug-token: 9dcc688323f1dad273d4c8fc7117f405a52ce998
Vary: Accept-Encoding
Content-Encoding: gzip
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
As you can see, there are three PHPSESSIDs.
I tried to reproduce this behavior with a single file with three session_start(); calls:
<?php
session_start();
session_start();
session_start();
but the cookie was send only once.
Any idea how this could happen?
I found the culprit. Somewhere deep in the legacy code was a session_commit which was called multiple times.