Is there an Apache or Php setting that would change a header returned by getallheaders() from Capitalized to lowercase?
On my localhost it receives an Authorization header but the same code returns authorization on the server. and the same client(Postman) is being used in both cases
As per the HTTP/1.1 spec Field names are case-insensitive.
https://www.ietf.org/rfc/rfc2616.txt
Related
I have a local testing application mimicking the host test.mywebsite.com on port 4200.
It makes a call to api.test.mywebsite.com (also locally hosted) to /login
The request passes, the server returns 200 and some information, and along with it it sets this header which I see in the response headers:
Set-Cookie: refreshToken={JWT here}; expires=Sun, 23-May-2021 20:38:32 GMT; Max-Age=1296000; path=/; domain=.test.mywebsite.com; HttpOnly
This doesn't get stored in my browser (either Chrome or Firefox) and I'm trying to figure out why.
Here's some more information about my setup if needed:
Angular server using ng serve --host=test.mywebsite.com to get the test frontend up on http://test.mywebsite.com:4200
Kubernetes backend running on localhost (with my hosts file redirecting api.test.mywebsite.com to 127.0.0.1) which directs the request to a PHP pod that creates the cookie using this code:
setcookie(
"refreshToken", // name
$refreshJWT->token, // token
$refreshJWT->expiration, // expires in 15 days
'/', // path
".".$refreshJWT->domain, // domain
($refreshJWT->environmentType === "test") ? false : true, // security
true // httponly
);
I fear it's something painfully simple or an oversight somewhere, but can't for the life of me find out what. The only thing I can think of would be the port not matching with the cookie host, but as far as I know cookie domains are port-agnostic. I've tried adding :4200 to the end of the cookie domain anyway and still have the same problem.
Update: setcookie() returns true, so there's no output previous to setting the header.
Update2: I deployed it to a staging server and the problem still occurs despite no DNS trickery or proxies going on.
Update3: I've narrowed it down to a combination of my api server's Access-Control-Allow-Origin header, and my JS' use of withCredentials
My Access-Control-Allow-Origin is set to *. If I send the request withCredentials as false, it returns the body to the JS but refuses the cookie. If I set withCredentials to true, it sets the cookie but refuses to allow the JS to read the body.
I found out the reason, for anyone who may be stumbling on this:
The first problems was while my requests were going through and returning 200, the cookie was not being set because I didn't agree to receive a cookie on the frontend. To agree to cookies on the frontend, I had to use withCredentials.
The second problem was on the backend, I didn't explicitly send the header Access-Control-Allow-Credentials This would allow both front and backend to agree to a cookie exchange.
The third problem was my backend had a wildcard set for Access-Control-Allow-Origin, which my browser requires to match the current host exactly if withCredentials is used.
It makes a call to api.test.mywebsite.com
...
domain=.test.mywebsite.com
These need to be the same hostname
I want to change the 'SERVER["HTTP_CONNECTION"]' status keep-alive to close.
in wamp -> httpd-default.conf its show
KeepAlive On
I already try to 'KeepAlive Off' but it doesn't works.
I want to set it off.
This is not possible:
$_SERVER['HTTP_CONNECTION'] is the value of the HTTP Connection header
sent as part of the request by the client. It is not a server setting.
You cannot change it and you cannot force the client to send another
value in that header. It's up to the client.
Resource
I'm seeing these two headers in my response header of an AJAX call. Need to know more about this and what is the meaning of this header? Is this implies to caching of data from server?
X-Cache:MISS from localhost
X-Cache-Lookup:MISS from localhost:3128
It doesnt matter whether a resource was requested via mydomain.com OR mydomain.com:80(which is how some bots/spiders make requests): HTTP_HOST always shows up as 'mydomain.com' and there is no way for PHP to know whether the request included a :80 (2). This leads me to believe that Apache passes the exact same request to PHP whether the port is specified or not (an it makes sense).
The problem: I have the NewRelic PHP agent installed on this machine, and it reports to the NewRelic service, via a PHP auto_prepend_file used to name the applications separately(1), both mydomain.com and mydomain.com:80. These two are the same application showing up under two different names in NewRelic control panel, which is undesirable. Since the application name is set via PHP, how could mydomain.com:80 possibly be passed to the NewRelic API when the code setting the name can't even see whether the request explicitly defines :80? NewRelic support tells me that my code is passing the :80 to their API, and that's just not possible(2). Does Apache pass to PHP whether the port (:80) was explicitly requested or not?
1) if I don't use this file, every vhost on the server will report under the same generic 'PHP Application' name
2) SERVER_PORT will always be 80, whether explicitly invoked or not (unless of course it's an https or non standard port request, which is not what's being discussed here). In other words, I cannot use SERVER_PORT to filter requests that have the port explicitly defined because whether the request does or does not have an explicitly defined port is invisible to PHP.
Apache 2.2.15, mod_fcgid 2.3.7, PHP 5.3.3, Linux 2.6.32.60-40 x64, CentOS 6.4
HTTP_HOST is literally just the hostname, e.g. www.example.com, of the site you're accessing. If you want the port number that the request came in to, then there's $_SERVER['SERVER_PORT']
Browsers AND curl will strip the :80 from the host header when the port requested is the standard (port 80). Since I had not tested using a manually issued GET, I didn't see how could $_SERVER['HTTP_HOST'] include a port number. I found that it does, WHEN the port is included in the Host header (which makes sense, since the manual specifies that $_SERVER['HTTP_HOST'] is "Contents of the Host: header from the current request, if there is one.")
Section 14.23 of the HTTP spec states that the port # should be included in a request IF its not the default port of 80. But it doesn't say whether it's OK or not to include the port number when the port used IS the default.
In my case, the requests that do include the port number, even when using the default port, came from the Baidu Spider.
If you need to see this by yourself, you need to issue a manual GET request. Use Netcat or Telnet to send these commands:
$ telnet www.host.com 80
GET /host.php HTTP/1.1
Host: www.host.com:80
Connection: close
(add two CRLFs at the end)
When I try to use this code:
header('X-Powered-By: ASP.NET');
header('Server: Microsoft-IIS/7.5');
the headers that have sent are:
Server:Apache/2.2.22 (Win64) PHP/5.4.3
X-Powered-By:ASP.NET
What do I need to do?
Your Server header is being replaced by apache2.
The solution may be to completly disable sending Server header by web server. In fact apache (and most of web servers) does not allow you to completly disable server signature.
You can find some useful information here: Removing http headers in Apache2