Every thing was working fine until we have configured checkpoint.
For checkpoint, we have a separate vpc in aws.
After that this bug started randomly. Some users are switched with other user. Example let's say User A was logged into application and after some time User A was suddenly changed with User B. This is so random that i am not able to find the way to reproduce. But end users are reporting it periodically.
My application is built in Yii 1 and logic mechanics is straight forward. Session is setting when user logged into website.
Yii1 Configuration
<?php
return array(
'basePath' => dirname(__FILE__) . DIRECTORY_SEPARATOR . '..',
'name' => 'Project',
'defaultController' => 'site/login',
// application components
'components' => array(
'request' => array(
'enableCsrfValidation' => true,
'enableCookieValidation' => true,
'class' => 'HttpRequest',
'csrfTokenName' => '_csrf',
),
'session' => array(
'class' => 'CDbHttpSession',
'autoStart' => true,
'connectionID' => 'db',
'sessionTableName' => 'tbl_session',
'timeout' => 3600 * 24 * 30,
'autoCreateSessionTable' => false
),
'user' => array(
'allowAutoLogin' => true,
'authTimeout' => 3600 * 24 * 30,
),
::::::::::::::::::::::::::::::::::::::
//Other Stuff
::::::::::::::::::::::::::::::::::::::
),
);
Below is the sample request:
Note: i have changed the URLs to dummy one.
General
Request URL: https://[randomuniquestring].access.project.com/index.php?r=home/index
Request Method: GET
Status Code: 200
Remote Address: 143.204.*****:443
Referrer Policy: no-referrer-when-downgrade
Request Headers
:authority: randomuniquestring.access.project.com
:method: GET
:path: /index.php?r=home/index
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: max-age=0
cookie: selected_realm=ssl_vpn; _gcl_au=1.1.997081439.1542180219; __qca=P0-2107182343-1542180221727; _ga=GA1.2.663976907.1542956670; ___fnbDropDownState=1; CPCVPN_BASE_HOST=.access.project.com; CPCVPN_OBSCURE_KEY=6a97dc429cb24dafe51d5177d2e87218; _gid=GA1.2.33488363.1549271004; CPCVPN_SESSION_ID=96c6835fb518aeefe7eb64e5767c730401e4f547; _gat=1; CPCVPN_SDATA_VERSION=2
referer: https://[randomuniquestring].access.project.com/index.php?
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Response Header
cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
content-length: 0
content-type: text/html; charset=UTF-8
date: Thu, 07 Feb 2019 10:38:55 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
location: https://[randomuniquestring].access.project.com/?r=home/index
pragma: no-cache
server: CPWS
set-cookie: CPCVPN_SDATA_VERSION=2; path=/; secure; HttpOnly;
status: 302
strict-transport-security: max-age=1261440000; includeSubDomains
vary: User-Agent
via: 1.1 [randomuniquestring].cloudfront.net (CloudFront)
x-amz-cf-id: lWZ0rvOKiPO5FhJk6oPqdTchfzzsrTlb6du1DD6rNaOQZDSL1cGlcw==
x-cache: Miss from cloudfront
x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
I have refer this question: PHP cookie-bases session swapping in phorum but didn't found any solution.
So is there a way to find the root cause behind it and how to resolve this one?
Other Detail
For a checkpoint, we have a separate vpc in aws.
This vpc contains link and other migrated application
Related
I am using Guzzle to login to a page, and then parse the DOM for download links.
However, I won't receive the full DOM after login. The HTML with the download links is just about to start in the DOM string and then cuts off.
Does someone have any idea what could be the cause of this?
The page is behind login and not public accessible.
Note: I cannot share the URLs nor Login data, so replicating the issue is most likely impossible.
This is the end of the DOM
</SCRIPT>
<TABLE ALIGN=LEFT CELLSPACING=0 CELLPADDING=1 style='WIDTH:99%;max-width:1000px;'>
(after that there is nothing, but should be, its just not in the response somehow)
PHP: 7.1.26
Guzzle: 6.3.3
Some code, if its helpful:
$response = self::$client->get(self::getConfig()['baseurl'] . '/' . parse_url($mainScreenUri)['path'], [
'query' => $query_params,
'sink' => date('Y.m.d_H-i-s') . '_sink_.txt',
'debug' => TRUE,
'headers' => [
'User-Agent' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'Host' => 'snip',
]
]
);
$x = $response->getBody()->__toString();
file_put_contents(date('Y.m.d_H-i-s') . '.txt', $x);
Both files created by this are cut and do not show the full body.
Response debug:
* Found bundle for host snip: 0x5625c0ab6100 [can pipeline]
* Re-using existing connection! (#0) with host snip
* Connected to snip port 443 (#0)
> GET snip HTTP/1.1
Host: snip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Cookie: snip
< HTTP/1.1 200 OK
< Date: Tue, 25 Jun 2019 12:55:56 GMT
< Server: Apache/2.4.7 (Ubuntu)
< X-Powered-By: PHP/5.5.9-1ubuntu4.26
< X-Frame-Options: sameorigin
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html
<
* Curl_http_done: called premature == 0
* Connection #0 to host snip left intact
edit
Using streams to only fetch few bytes at a time I have the same problem.
/** #var \GuzzleHttp\Promise\Promise $promise */
$promise = self::$client->getAsync(self::getConfig()['baseurl'] . '/' . parse_url($mainScreenUri)['path'], [
'query' => $query_params,
'sink' => 'snip' . date('Y.m.d_H-i-s') . '_sink_.txt',
'debug' => $resource,
'stream' => TRUE,
'headers' => [
'User-Agent' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'Host' => 'snip',
// 'Referer' => 'snip/popup.php?user=' . self::getConfig()['username'] . '&pwi=' . $pwi . '&pwh=' . $hpw,
],
'allow_redirects' => [
'max' => 50,
]
]
);
/** #var \GuzzleHttp\Psr7\Response $response */
$response = $promise->wait();
/** #var \GuzzleHttp\Psr7\Stream $body */
$body = $response->getBody();
$dataRead = "";
while (!$body->eof()) {
$data = $body->read(1024);
$dataRead .= $data;
}
$dataRead is cutoff like everything else.
I found the issue. It was a parameter which was broken and the server decided to give back broken HTML instead of a error message or nothing at all.
I have this POST request to login to a website:
http://xxxx.net-kont.it/
POST / HTTP/1.1
Host: xxxx.net-kont.it
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Referer: http://xxxx.net-kont.it/
Content-Length: 1904
Cookie: ASP.NET_SessionId=s44bymd3lm4dsykvymjljv5s
Connection: keep-alive
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: SSOAuth=EDCCFF8CD40064D70B3377CD0389FF7F807F0B774F2CE1CA6C015314911D3D69AB819EAB9938C14608842D25991D11D8F1A5A94090DB926BD7001C526B1920A51AC986182EB016C323983716720E8F345B54E02E44C65753E9183843D23F569EF3FE52C03FC8567E809A77387B8C; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Sun, 22 Oct 2017 12:26:40 GMT
Content-Length: 714
----------------------------------------------------------
http://xxxx.net-kont.it/aspx/Empty.aspx?ControllaRichieste=true&CheckCode=29a29a891a7d4d7773f480064e5c869929bcca40e7c84812111f9affbc3be4628a3b7defe8fb9b14f9911be9c6545e7cd31c2fc04b79a8d1e7280e0277264bdcec7428037a43961c3dda5bbd54a2e7ae&wsid=1a57f5e6-bf68-4f2f-9a71-c43e8e8bfbaf&wsnew=false
GET /aspx/Empty.aspx?ControllaRichieste=true&CheckCode=29a29a891a7d4d7773f480064e5c869929bcca40e7c84812111f9affbc3be4628a3b7defe8fb9b14f9911be9c6545e7cd31c2fc04b79a8d1e7280e0277264bdcec7428037a43961c3dda5bbd54a2e7ae&wsid=1a57f5e6-bf68-4f2f-9a71-c43e8e8bfbaf&wsnew=false HTTP/1.1
Host: xxxx.net-kont.it
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://xxxx.net-kont.it/
Cookie: ASP.NET_SessionId=s44bymd3lm4dsykvymjljv5s; SSOAuth=EDCCFF8CD40064D70B3377CD0389FF7F807F0B774F2CE1CA6C015314911D3D69AB819EAB9938C14608842D25991D11D8F1A5A94090DB926BD7001C526B1920A51AC986182EB016C323983716720E8F345B54E02E44C65753E9183843D23F569EF3FE52C03FC8567E809A77387B8C
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 22 Oct 2017 12:26:40 GMT
Content-Length: 95935
----------------------------------------------------------
The post request header requires the following fields:
'__LASTFOCUS' => '',
'__EVENTTARGET' => '',
'__EVENTARGUMENT' => '',
'__VIEWSTATE' => $viewstate,
'__VIEWSTATEGENERATOR' => $viewstategenerator,
'ctl00$hwsid' => $hwsid,
'ctl00$PageSessionId' => $pagesessionid,
'ctl00$DefaultUrl' => $defaulturl,
'ctl00$GenericErrorUrl' => $genericerrorurl,
'ctl00$PopupElement' => '',
'ctl00$PollingTimeoutSecs' => $pollingtimeoutsecs,
'ctl00$bodyContent$txtUser' => $user,
'ctl00$bodyContent$txtPassword' => $password,
'__CALLBACKID' => '__Page',
'__CALLBACKPARAM' => '"hwsid="'.$hwsid.'"&PageSessionId="'.$pagesessionid.'"&DefaultUrl="'.$defaulturl.'"&GenericErrorUrl="'.$genericerrorurl.'"&PopupElement="'.'"&PollingTimeoutSecs="'.$pollingtimeoutsecs.'"&txtUser="'.$user.'"&txtPassword="'.$password,
'__EVENTVALIDATION' => $eventvalidation
From an analysis of the post request, you notice that by sending the first cookie obtained from the website "ASP.NET_SessionId=", you immediately get an additional authentication cookie "SSOAuth="
How can I get the second cookie "SSOAuth=" so that I can get access to the site? I tried this code:
$user = "xx";
$password = "xx";
$url = 'http://xxx.it/Default.aspx';
$contents = file_get_contents($url);
$dom = new DOMDocument;
$dom->loadHTML($contents);
$xpath = new DOMXpath($dom);
$eventvalidation = $xpath->query('//*[#name="__EVENTVALIDATION"]')->item(0)->getAttribute('value');
$viewstate = $xpath->query('//*[#name="__VIEWSTATE"]')->item(0)->getAttribute('value');
$viewstategenerator = $xpath->query('//*[#name="__VIEWSTATEGENERATOR"]')->item(0)->getAttribute('value');
$hwsid = $xpath->query('//*[#name="ctl00$hwsid"]')->item(0)->getAttribute('value');
$pagesessionid = $xpath->query('//*[#name="ctl00$PageSessionId"]')->item(0)->getAttribute('value');
$defaulturl = $xpath->query('//*[#name="ctl00$DefaultUrl"]')->item(0)->getAttribute('value');
$genericerrorurl = $xpath->query('//*[#name="ctl00$GenericErrorUrl"]')->item(0)->getAttribute('value');
$pollingtimeoutsecs = $xpath->query('//*[#name="ctl00$PollingTimeoutSecs"]')->item(0)->getAttribute('value');
$cookies = array_filter(
$http_response_header,
function($v) {return strpos($v, "Set-Cookie:") === 0;}
);
$headers = [
"Accept-language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3",
"Content-Type: application/x-www-form-urlencoded; charset=utf-8",
"User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0",
];
foreach ($cookies as $cookie) {
$headers[] = preg_replace("/^Set-/", "", $cookie);
}
$request = array(
'http' => array(
'method' => 'POST',
'timeout' => 0,
'header'=> $headers,
'content' => http_build_query(array(
'__LASTFOCUS' => '',
'__EVENTTARGET' => '',
'__EVENTARGUMENT' => '',
'__VIEWSTATE' => $viewstate,
'__VIEWSTATEGENERATOR' => $viewstategenerator,
'ctl00$hwsid' => $hwsid,
'ctl00$PageSessionId' => $pagesessionid,
'ctl00$DefaultUrl' => $defaulturl,
'ctl00$GenericErrorUrl' => $genericerrorurl,
'ctl00$PopupElement' => '',
'ctl00$PollingTimeoutSecs' => $pollingtimeoutsecs,
'ctl00$bodyContent$txtUser' => $user,
'ctl00$bodyContent$txtPassword' => $password,
'__CALLBACKID' => '__Page',
'__CALLBACKPARAM' => '"hwsid="'.$hwsid.'"&PageSessionId="'.$pagesessionid.'"&DefaultUrl="'.$defaulturl.'"&GenericErrorUrl="'.$genericerrorurl.'"&PopupElement="'.'"&PollingTimeoutSecs="'.$pollingtimeoutsecs.'"&txtUser="'.$user.'"&txtPassword="'.$password,
'__EVENTVALIDATION' => $eventvalidation,
'ctl00$bodyContent$btnLogin' => 'Conferma'
)),
)
);
echo "<hr/>";
$context = stream_context_create($request);
$data = file_get_contents($url, false, $context);
echo htmlentities($data);
But I get the following output of "Authentication failed":
<Notification><Error Code="" Alert="True" ClosePopup="True" Fatal="False" Message="Autenticazione fallita." /></Notification>
The session will be in the HTTP Headers and file_get_contents only get the HTTP Body so you are losing the "metadata" in which is send your cookie.
I've really recommend to use something a bit more advanced than that. #Tarun Lalwani recommended you curl. Curl which can achieve that, although I prefer to use something more intuitive as Guzzle http://docs.guzzlephp.org/en/stable/ .
Guzzle use the PSR-7 http://www.php-fig.org/psr/psr-7/
This is an Guzzle use example where you can see how easy is to access the headers:
$client = new GuzzleHttp\Client();
$res = $client->request('GET', 'https://api.github.com/user', [
'auth' => ['user', 'pass']
]);
echo $res->getStatusCode();
// "200"
echo $res->getHeader('content-type');
// 'application/json; charset=utf8'
echo $res->getBody();
// {"type":"User"...'
I have solved! was easier than expected....in this I simply had to delete the quotes " :
'__CALLBACKPARAM' => '"hwsid="'.$hwsid.'"&PageSessionId="'.$pagesessionid.'"&DefaultUrl="'.$defaulturl.'"&GenericErrorUrl="'.$genericerrorurl.'"&PopupElement="'.'"&PollingTimeoutSecs="'.$pollingtimeoutsecs.'"&txtUser="'.$user.'"&txtPassword="'.$password,
converted to:
'__CALLBACKPARAM' => 'hwsid='.$hwsid.'&PageSessionId='.$pagesessionid.'&DefaultUrl='.$defaulturl.'&GenericErrorUrl='.$genericerrorurl.'&PopupElement='.'&PollingTimeoutSecs='.$pollingtimeoutsecs.'&txtUser='.$user.'&txtPassword='.$password,
It looks like you are trying to parse data directly from a website, have you considered approaching the website owners about building an API? in any event, I recommend using phantomjs, so that the scraper code is simpler and the traffic and other JS countermeasures are solved in an easier manner.
I am trying to use twitter API with PHP CURL (previously I used file_get_contents which I had to abandon due to file_get_content not able to respond effectively to twitter rate limits).
When I run the code using file_get_content, I get a string in response, on which I can easily use json_decode() and my work is done. But...
When I run the code using curl, in the response i get a one huge string that has the same data that I obtained using the above method plus some additional information. And because of that I cant use json_decode() on that response. Following are the two responses.
Response From file_get_content
string(1964) "{"id":2988119635,"id_str":"2988119635","name":"Michael Jackson","screen_name":"Yahoo6464","location":"","description":"","url":null,"entities":{"description":{"urls":[]}},"protected":false,"followers_count":4,"friends_count":2,"listed_count":2,"created_at":"Sun Jan 18 07:18:41 +0000 2015","favourites_count":6,"utc_offset":null,"time_zone":null,"geo_enabled":false,"verified":false,"statuses_count":144,"lang":"en","status":{"created_at":"Tue Mar 15 07:09:21 +0000 2016","id":709637592510308352,"id_str":"709637592510308352","text":"noooooooooooooooooooo"}"
Response From CURL
string(2942) "HTTP/1.1 200 OK
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
content-disposition: attachment; filename=json.json
content-length: 1964
content-type: application/json;charset=utf-8
date: Wed, 16 Mar 2016 06:58:18 GMT
expires: Tue, 31 Mar 1981 05:00:00 GMT
last-modified: Wed, 16 Mar 2016 06:58:18 GMT
pragma: no-cache
server: tsa_f
set-cookie: lang=en; Path=/
set-cookie: guest_id=v1%3A145811149839783410; Domain=.twitter.com; Path=/; Expires=Fri, 16-Mar-2018 06:58:18 UTC
status: 200 OK
strict-transport-security: max-age=631138519
x-access-level: read-write
x-connection-hash: e23e2992def7a3837cdbb3a3201bf7de
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-rate-limit-limit: 15
x-rate-limit-remaining: 12
x-rate-limit-reset: 1458112290
x-response-time: 171
x-transaction: 3fca373925e5f65b
x-twitter-response-tags: BouncerExempt
x-twitter-response-tags: BouncerCompliant
x-xss-protection: 1; mode=block
{"id":2988119635,"id_str":"2988119635","name":"Michael Jackson","screen_name":"Yahoo6464","location":"","description":"","url":null,"entities":{"description":{"urls":[]}},"protected":false,"followers_count":4,"friends_count":2,"listed_count":2,"created_at":"Sun Jan 18 07:18:41 +0000 2015","favourites_count":6,"utc_offset":null,"time_zone":null,"geo_enabled":false,"verified":false,"statuses_count":144,"lang":"en","status":{"created_at":"Tue Mar 15 07:09:21 +0000 2016","id":709637592510308352,"id_str":"709637592510308352","text":"noooooooooooooooooooo"}"
Here is my curl options
$options = array(
CURLOPT_URL => $url,
CURLOPT_HEADER => true,
CURLINFO_HEADER_OUT => true,
CURLOPT_HTTPHEADER => $header,
CURLOPT_POST => true,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_CUSTOMREQUEST => 'GET',
);
$ci = curl_init();
$d = curl_setopt_array($ci, $options);
$response = curl_exec($ci);
Just set CURLOPT_HEADER to false.
I have problem with cross domain request. I want to send get request via ajax from 'www.second-domain.com' to 'www.first-domain.com/path/to/plugin' and return html code (plugin view).
I install 'barryvdh/laravel-cors' from github in Laravel 4.2 on 'www.first-domain.com'.
plugin.blade.php
<div id="bookingPlugin">
<div class="container">
<div class="bookingPlugin">
<div class="bookingPluginHeader">
<div class="bookingPluginTxtCenter">REZERWACJA ON-LINE</div>
</div>
<div class="bookingPluginContent bookingPluginNoPadding">
#foreach ($categories as $category)
<div class="bookingPluginButtonContainer">
<button id="{{{ $category->CategoryId }}}" class="bookingPluginTxtCenter">{{{ $category->CategoryName }}}</button>
</div>
#endforeach
</div>
</div>
</div>
</div>
<div id="bookingWindow"></div>
<script>
$.getScript('http://plugins.first-domain.com/bookingWindow.js');
$.getScript('http://first-domain.com/packages/jquery-ui/jquery-ui.min.js');
$("head").append(
"<link href=\"http://first-domain.com/packages/jquery-ui/jquery-ui.min.css\" rel=\"stylesheet\" media=\"all\" type=\"text/css\">"
);
$("#bookingPlugin button").click(function(){
openBookingWindow("{{ $hotelId }}", this.id);
});
</script>
On 'www.second-domain.com' I added the following line to the code. If this line I added to 'www.first-domain.com' it is working.
<script type="text/javascript" src="http://plugins.first-domain.com/book.js"></script>
book.js
$("head").append(
"<style>"+
"#bookingPlugin{position:absolute;top:200px;width:100%;z-index:999;}"+
"#bookingPlugin button{font-size:100%;margin:0;vertical-align:baseline;line-height:normal;text-transform:uppercase;background:#2670b5;}"+
"#bookingPlugin button{width:100%;cursor:pointer;color:#fff;-webkit-appearance:button;border:1px solid #fff;outline:0;padding:5px;}"+
"#bookingPlugin button:hover{background:#275DA2}"+
".bookingPlugin{width:250px;background-color:#fff;color:#444;border:1px solid #fff;padding:5px}"+
".bookingPluginNoPadding{padding:0;}"+
".bookingPluginHeader{width:100%;font-weight:bold;border-bottom:1px dotted #444;margin:0 0 5px 0;padding:5px;}"+
".bookingPluginTxtCenter{text-align:center;}"+
".bookingPluginContent{width:100%;}"+
".bookingPluginButtonContainer{width:100%;}"+
"</style>"
);
$.ajax({
//send get ajax request to laravel
type:'get',
//call to route
url:'http://www.first-domain.com/path/to/plugin',
//return data type as html
dataType:'html'
}).done(function(data){
//insert returned data into body element
$("body").append(data);
}).fail(function(jqXHR, ajaxOptions, thrownError){
alert(thrownError);
});
barryvdh/laravel-cors/config.php
'defaults' => array(
'supportsCredentials' => false,
'allowedOrigins' => array(),
'allowedHeaders' => array(),
'allowedMethods' => array(),
'exposedHeaders' => array(),
'maxAge' => 0,
'hosts' => array(),
),
'paths' => array(
'^/' => array(
'allowedOrigins' => array('*'),
'allowedHeaders' => array('Content-Type'),
'allowedMethods' => array('POST', 'PUT', 'GET', 'DELETE', 'OPTIONS'),
'maxAge' => 3600,
)
)
EDIT:
Request headers (www.second-domain.com -> www.first-domain.com)
Accept text/html, */*; q=0.01
Accept-Encoding gzip, deflate
Accept-Language pl,en-US;q=0.7,en;q=0.3
DNT 1
Host first-domain.com
Origin http://www.first-domain.com
Referer http://www.first-domain.com/
User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Response headers (www.second-domain.com -> www.first-domain.com)
Cache-Control no-cache
Connection keep-alive
Content-Length 0
Content-Type text/html; charset=UTF-8
Date Mon, 27 Oct 2014 07:49:01 GMT
Server nginx
Set-Cookie laravel_session=eyJpdiI6Imtva3...; expires=Mon, 27-Oct-2014 09:49:01 GMT; Max-Age=7200; path=/; httponly
Vary Origin
X-Powered-By PHP/5.5.17
access-control-allow-origin http://www.first-domain.com
Request headers (www.first-domain.com -> www.first-domain.com)
Accept text/html, */*; q=0.01
Accept-Encoding gzip, deflate
Accept-Language pl,en-US;q=0.7,en;q=0.3
Cookie laravel_session=eyJpdiI6IjB1V...; _ga=GA1.2.1119242176.1414394349; _gat=1
DNT 1
Host first-domain.com
Referer http://first-domain.com/
User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
X-Requested-With XMLHttpRequest
Response headers (www.first-domain.com -> www.first-domain.com)
Cache-Control no-cache
Connection keep-alive
Content-Encoding gzip
Content-Type text/html; charset=UTF-8
Date Mon, 27 Oct 2014 07:48:32 GMT
Server nginx
Set-Cookie laravel_session=eyJpdiI6ImVxd...; expires=Mon, 27-Oct-2014 09:48:32 GMT; Max-Age=7200; path=/; httponly
Transfer-Encoding chunked
Vary Accept-Encoding
X-Powered-By PHP/5.5.17
I found the solution.
In www.first-domain.com -> www.first-domain.com request was include the header 'X-Requested-With: XMLHttpRequest', but on www.second-domain.com -> www.first-domain.com request wasn't this header.
The full answer I found on this topic Cross-Domain AJAX doesn't send X-Requested-With header
When I access an action for get some cookie, I have two way for realize the goal.
But I won't access the action directly.
One is use fiddler2 to build a http request, the other is writting some code in php to simulate a HTTP request.The following code is my implementation:
the action: www.example.com/account/login
account is controller,login is action, I use MVC.
when I use fiddler, I build a request, like following,
*******************************************************
POST http://localhost/account/Login HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 67
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://localhost/lm006/home/index.php
Accept-Encoding: gzip,deflate,sdch
username=admin&password=fsdfsdafdss
*******************************************************
When I use PHP, I write code like this,
*******************************************************
$method="POST"
$option = array('http' => array(
'method' => $method,
'header' => "User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.0.04506; CIBA)\r\nAccept:*/*\r\nReferer:" . $referer,
));
if ($method==='POST')
$option['http']=array_merge($option['http'], array('content' => http_build_query($postdata)));
$files=file_get_contents($url, false, stream_context_create($option));
preg_match_all("/Set-Cookie:(.*?)\r\n/", implode("\r\n", $http_response_header), $cookies);
*******************************************************
The very strange thing is, if I use fiddler to get cookie, I will get request like
***************************************************************************
array (
0 => 'X-Powered-By: PHP/5.3.5',
1 => 'Expires: Thu, 19 Nov 1981 08:52:00 GMT',
2 => 'Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0',
3 => 'Pragma: no-cache',
4 => 'Set-Cookie: PHPSESSID=2b4v30vuglap0sid2rtitgmeh0; path=/',
)
***************************************************************************
here just One Set-Cookie
If I use PHP, I will get request:
***************************************************************************
array (
0 => 'X-Powered-By: PHP/5.3.5',
1 => 'Set-Cookie: PHPSESSID=7fdvb0vaasdp0sid2rti234ap1; path=/',
2 => 'Expires: Thu, 19 Nov 1981 08:52:00 GMT',
3 => 'Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0',
4 => 'Pragma: no-cache',
5 => 'Set-Cookie: PHPSESSID=2b4v30vuglap0sid2rtitgmeh0; path=/',
)
***************************************************************************
Here is two Set-Cookie!!!
I trace the code in X-Debug.
I find the situation:
<i>
$header1=headers_list();
#session_set_save_handler(array($this,'openSession'),array($this,'closeSession'),array($this,'readSession'),array($this,'writeSession'),array($this,'destroySession'),array($this,'gcSession'));
$header2=headers_list();
</i>
the $header1 is 'X-Powered-By: PHP/5.3.5' for both way.
the $header2 for fiddler way is
************************************************
array (
0 => 'X-Powered-By: PHP/5.3.5',
1 => 'Expires: Thu, 19 Nov 1981 08:52:00 GMT',
************************************************
the $header2 for PHP way is
******************************************************************
array (
0 => 'X-Powered-By: PHP/5.3.5',
1 => 'Set-Cookie: PHPSESSID=7fdvb0vaasdp0sid2rti234ap1; path=/',
2 => 'Expires: Thu, 19 Nov 1981 08:52:00 GMT',
*******************************************************************
HERE WE GET AN ADDITIONAL SET-COOKIE ITEM!!!
It's too strange, hope for your help.
Thank a lot.