So I have my PHP on a server, and my angular app locally.
for every request I make, I am getting back a different PHP session id in my network tab. Because of this I cannot test my session cookie as it doesn't exist.
When I bundle the app and put it on the server (same server as php files) then the sessionID is the same, So I am only having this issue locally.
I have added the correct CORS on my php file (just above session_start()) and I am sending withCredentials: true with my request, yet the session is always different.
Is there anything I need to look out for?
I am somewhat a PHP novice and more experienced in Angular so any help is appreciated.
Angular post request:
loginSession(form: string) {
const options = {
headers: new HttpHeaders().set('Content-Type', 'application/json; charset=utf-8'),
withCredentials: true
}
return this.httpClient.post<any>(`${this.SERVER}/function.php`, form, options);
}
Response Headers:
access-control-allow-credentials: true
access-control-allow-headers: Content-Type
access-control-allow-methods: POST, GET, OPTIONS, DELETE, PUT
access-control-allow-origin: http://localhost:4200
cache-control: no-store, no-cache, must-revalidate
content-type: text/html; charset=UTF-8
date: Wed, 15 Jan 2020 08:44:27 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
server: Apache
status: 200
vary: Accept-Encoding,User-Agent
x-content-encoding-over-network: gzip
Request Headers:
:authority: mysite.com
:method: POST
:path: /function.php
:scheme: https
accept: application/json, text/plain, */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: no-cache
content-length: 68
content-type: application/json; charset=UTF-8
cookie: PHPSESSID=93cfc63e3b04eb7bf6f633ae1b11fba7
origin: http://localhost:4200
pragma: no-cache
referer: http://localhost:4200/
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Thank you
Possibly your request is not sending cookies with the request. Php requires client side cookies to maintain the session.
Share your code to provide a better answer. But for time being you should made the request with, withCredentials option set to true.
let options = new RequestOptions({ headers: headers, withCredentials: true });
this.http.post(url, data, options)
Related
This question already has answers here:
403 "rest_forbidden" error in WordPress REST API (but only for settings)?
(3 answers)
Reason I would get 403 rest_forbidden accessing WP API taxonomies/name-of-taxonomy?
(1 answer)
Closed 4 months ago.
I'm trying to setup a REST API on my Wordpress site but I keep getting a:
403 "rest_forbidden","message": "Sorry, you are not allowed to do that."
I have tried almost everything related to the .htaccess, file & folder permissions and code debugging but is seems to be in order.
I've noticed in Chrome DevTools on my REST request that I get this error:
Request URL: https://mysite/wp-json/agility/v1/body_reactions_exercise_submits/
Request Method: POST
Status Code: 403
Remote Address: 93.192.149.128:443
Referrer Policy: strict-origin-when-cross-origin
Which led me to think that the error is found here.
Response headers:
access-control-allow-credentials: true
access-control-allow-headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
access-control-allow-methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
access-control-allow-origin: https://mysite.dk
access-control-expose-headers: X-WP-Total, X-WP-TotalPages, Link
cache-control: no-cache, must-revalidate, max-age=0
content-type: application/json; charset=UTF-8
date: Mon, 07 Nov 2022 18:50:31 GMT
expires: Wed, 11 Jan 1984 05:00:00 GMT
link: <https://mysite.dk/wp-json/>; rel="https://api.w.org/"
server: Apache
simplycom-server: Apache
vary: Origin
x-content-type-options: nosniff
x-content-type-options: nosniff
x-robots-tag: noindex
x-wp-nonce: 4e1d47ebca
Request headers:
authority: mysite.dk
:method: POST
:path: /wp-json/agility/v1/body_reactions_exercise_submits/
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-GB,en;q=0.9,en-US;q=0.8,da;q=0.7
cache-control: no-cache
content-length: 39
content-type: application/x-www-form-urlencoded; charset=UTF-8
cookie: wf_loginalerted_deb7f1485ddd09882bf2b25862ac974db44f82cb0feb4afb7ac0dbeee3799b7b=4ff7d692ac9d5cb4526429c25da1fc5f6e3286dbba09472269b935b244bdcf30; wordpress_logged_in_673d309d9a05f5b76cf56a2a2ed5cfc7=su-admin-fll%7C1668019650%7CxFCQO4Nw6ul9VwbGAskysXfaf0y3a3ja7byhxPfK6XH%7C87853ea39548d983c701530c33c643c33f24bb068059eee2474fd2c1dd05d04b; wfwaf-authcookie-301c82f5ef5cb96a84d3b59d01978ec4=1%7Cadministrator%7Cmanage_options%2Cunfiltered_html%2Cedit_others_posts%2Cupload_files%2Cpublish_posts%2Cedit_posts%2Cread%7Cffd65b720d3f446ab3ad96e13abab2ad071e50d5df015313a664a9ec50ac84db; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse; wp-settings-time-1=1667846872
dnt: 1
manage_options: true
origin: https://mysite.dk
pragma: no-cache
referer: https://mysite.dk/test-page/agility/agility-body-reaction/
sec-ch-ua: "Microsoft Edge";v="107", "Chromium";v="107", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.35
x-requested-with: XMLHttpRequest
x-wp-nonce: 4e1d47ebca
My JS code looks like this:
$.ajax({
json/agility_body_reactions/v1/exercise_data_submits',
url: 'https://MySite.dk/wp-json/agility/v1/body_reactions_exercise_submits/',
method: 'POST',
beforeSend: function(xhr) {
xhr.setRequestHeader(
'X-WP-Nonce',
wpApiSettings.nonce );
},
data: {
gender: gender,
age: age,
minutes: minutes,
seconds: seconds
}
});
Can anybody figure out what is wrong?
I don't know much about CORS.
Thanks
Flemming
Since my hosting provider has switched to HTTP2 I am getting a HTTP 416 Range Not Satisfiable error when trying to export data to Excel OR pdf formats. What I've tried already:
adding RequestHeader unset Range to .htaccess
adding Header unset Accept-Range to .htaccess
setting Cache-Control headers expiration to 0
I've talked to the technical support of my hosting provider and whatever they've doing for the next 20 minutes didn't work either. I think they even tried to switch off HTTP2 for my account – however the error persisted.
What I find even more bizarre is the fact that the error comes before the logs have been written, meaning that the file has not been generated at that point at all. It seems like the request comes to the server and bounces back with 416 without actually launching any process in the first place. Any ideas what it could be? I have not touched the code in the last 2 weeks and it seems to have been working alright.
Here are the request headers
:authority: [....xxx].com
:method: POST
:path: /v1/reports/shifts/export
:scheme: https
accept: application/json
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,de;q=0.8,ru;q=0.7,be;q=0.6,pl;q=0.5,fr;q=0.4
authorization: Bearer: eyJ0eXAiOiJKV1QiLCJhbGc....
cache-control: no-cache
content-length: 132
content-type: application/json
origin: https://[....xxx].com
pragma: no-cache
referer: https://[....xxx].com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-site
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36
and here are the headers coming back with HTTP416 response
accept-ranges: none
access-control-allow-headers: Origin,X-Requested-With,Content-Type,Accept,Authorization,Accept-Language,Content-Language,Last-Event-ID,X-HTTP-Method-Override
access-control-allow-methods: GET, PATCH, POST, PUT, DELETE, OPTIONS
access-control-allow-origin: https://[....xxx].com
access-control-request-headers: X-Requested-With
cache-control: public
content-disposition: attachment; filename=shift.xls
content-length: 0
content-range: bytes */6144
content-type: application/vnd.ms-excel
date: Fri, 27 May 2022 11:54:20 GMT
last-modified: Fri, 27 May 2022 11:54:20 GMT
server: nginx
vary: Authorization
Any ideas?
Google App Engine's Front Controller removes the cookies from the response header set by my Laravel Framework 8.83.4 / PHP 7.4 application.
Cookies are being set in the browser properly when hosted locally. But, they are not set in the browser when I hosted it on Google's App Engine. So, Users can't persist the login session.
Chrome Headers dump : http://localhost:8000/login
General:
Request URL: http://localhost:8000/login
Request Method: GET
Status Code: 200 OK
Remote Address: 127.0.0.1:8000
Referrer Policy: no-referrer-when-downgrade
Response Headers:
Cache-Control: no-cache, private
Connection: close
Content-Type: text/html; charset=UTF-8
Date: Tue, 15 Mar 2022 07:03:43 GMT
Date: Tue, 15 Mar 2022 07:03:42 GMT
Host: localhost:8000
Set-Cookie: XSRF-TOKEN=ey <some cookie hash> idGFnIjoiIn0%3D; expires=Tue, 15-Mar-2022 09:03:42 GMT; Max-Age=7199; path=/; samesite=lax
Set-Cookie: laravel_session=eym <some cookie hash> FnIjoiIn0%3D; expires=Tue, 15-Mar-2022 09:03:42 GMT; Max-Age=7199; path=/; httponly; samesite=lax
X-Powered-By: PHP/7.4.13
Request Headers:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cache-Control: max-age=0
Connection: keep-alive
Cookie: XSRF-TOKEN=eyJ <some cookie hash> GFnIjoiIn0%3D
Host: localhost:8000
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Chrome Headers dump : < App Engine Hosted Site URL >
General:
Request URL: <App Engine Hosted Site URL>
Request Method: GET
Status Code: 200
Remote Address: 142.250.182.116:443
Referrer Policy: no-referrer-when-downgrade
Response Headers:
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
cache-control: private
content-encoding: gzip
content-length: 2651
content-type: text/html; charset=UTF-8
date: Tue, 15 Mar 2022 07:05:17 GMT
server: Google Frontend
status: 200
vary: Accept-Encoding
x-cloud-trace-context: 1c3fedeeb3822b2833cbe2ce676d5497
Request Headers:
:authority: <App Engine Hosted Site URL>
:method: GET
:path: /login
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-GB,en-US;q=0.9,en;q=0.8
cache-control: max-age=0
referer: <App Engine Hosted Site URL>
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-origin
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Here is the snip of index.php. I tried dumping the response (Commented below). My application is properly adding cookie to the response header. But, front controller removes it I think.
Index.php
$app = require_once __DIR__.'/../bootstrap/app.php';
$kernel = $app->make(Kernel::class);
$response = $kernel->handle(
$request = Request::capture()
);
// dd($response); // Response contains cookie. Headers are similar to the locally hosted app.
$response->send(); // Response doesn't contain cookie. Front controller is removing the cookie I think.
$kernel->terminate($request, $response);
Some people have discussed to handle cookie related functions at the top of each and every HTML page. But, that is not convenient and scalable for us.
If using our own php server instead of Google App Engine's Front Controller is the solution, Let me know the correct way to set entrypoint in app.yaml
Please guide me to the correct way to resolve this issue. Thanks.
I want to cache html page in my browser , and i am tying it on localhost , And I am sending the correct header( using the PHP) in response header but still browser is not caching the response, and every time i request same resource, It connect to server and get response from there
At top of my html page I am using
<?php
header("Cache-Control:max-age=36000");
?>
And the Response headers are
HTTP/1.1 200 OK
Date: Tue, 15 Nov 2016 14:45:37 GMT
Server: Apache/2.4.16 (Win32) OpenSSL/1.0.1p PHP/5.6.12
X-Powered-By: PHP/5.6.12
Cache-Control: max-age=36000
Accept-Ranges: none
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 154
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
When i saw Cache-Control:max-age=36000 in headers , I was expecting browser will cache this response for 36000 seconds and if i reload page ,I will get the cached response (and different response header) , but i am getting same header after reload ,and getting response straight from server again ,,
after reload request headers are
GET /check.php HTTP/1.1
Host: localhost
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Should i send any other response header for tell browser to cache the response ?
PHP (of course) adds some magical cache-control headers by itself. It is not possible to simply overwrite those with header(), and you have to use session_cache_limiter() to set different cache control headers, or session_cache_limiter('') to disable those magical headers all together..
When I browse to a page with Firefox and click a download link, the following headers are shown when I inspect the request in network inspector:
Connection: keep-alive
Content-Disposition: attachment; filename="example_file.mp3"
Content-Length: 35181829
Content-Transfer-Encoding: binary
Content-Type: audio/mpeg
Date: Fri, 19 Aug 2016 18:19:02 GMT
Keep-Alive: timeout=60
Server: nginx
X-Powered-By: PHP/5.4.45
However, when I use cURL to visit the same address, I get this:
Connection: keep-alive
Content-Length: 1918
Content-Type: text/html; charset=UTF-8
Date: Fri, 19 Aug 2016 20:46:23 GMT
Keep-Alive: timeout=60
Server: nginx
X-Powered-By: PHP/5.4.45
How can I form a request with cURL that gives me the same response as Firefox?
In Firefox, open up the Net tab in the developer options(F12) and open the URL of the page you need.
Take note of all the Request Headers in the request sent to the server:
Example:
Accept
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding
gzip, deflate
Accept-Language
nl,en-US;q=0.7,en;q=0.3
Connection
keep-alive
Cookie
_ga=GA1.2.598213448.1471644637; _gat=1
Host
mariannesdelights.be
User-Agent
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Put all the headers in an array in this way
$headers = array('HeaderName:HeaderValue','HeaderName2:HeaderValue2');
Use the php function curl_setoption() to set the headers in the request:
curl_setopt($ch,CURLOPT_HTTPHEADER,$headers);
That should produce the exact same HTTP-Response headers.