Currently I wanted to Access the Url Which require A cookie.Without Cookie It redirect to other Url. I try to Set Cookie in request header but only getting the Cookies in response header. Don't know Why it Happen.
this is Response Header:
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type:text/html; charset=UTF-8 Date Mon, 26 Sep 2016 11:52:59 GMT Expires
Thu, 19 Nov 1981 08:52:00 GMT
Location
quotev3.php?sub=compare
Pragma
no-cache
Server
nginx
Set-Cookie
PHPSESSID=e2dnbfjvhi29e7qnkm0jbnekc4; path=/
country=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
X-Firefox-Spdy
h2
Request Header
Accept
*/*
Accept-Encoding
gzip, deflate, br
Accept-Language
en-US,en;q=0.5
Connection
keep-alive
Content-Length
119
Content-Type
application/x-www-form-urlencoded
Host
www.parcelmonkey.co.uk
Origin
null
User-Agent
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
I set a Cookie in header File Like that.
$cookie=$_COOKIE['PHPSESSID'];
ob_start();
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
header('Access-Control-Allow-Headers: Origin, Content-Type, Accept, Authorization, X-Request-With');
header('Access-Control-Allow-Credentials: true');
header('Cookie:'.$cookie);
Any Solution Will be very Appriciated.Thanks
You need to specify the key of the cookie, not just it's value.
Also, the command is Set-Cookie and not Cookie.
Use the setcookie function, or header like this:
setcookie('PHPSESSID', $cookie);
or
header("Set-Cookie: PHPSESSID={$cookie};");
Related
I've been tumbling around for a while on the HTTP set-cookie topic but I'm not making any progress. My situation goes as follows:
My API is hosted on api.mysite.com and I have an admin dashboard on admin.mysite.com. I make a POST request from admin.mysite.com to api.mysite.com/login to verify credentials and it returns the session cookie. The cookie configuration is:
session_set_cookie_params([
'lifetime' => 36000,
'path' => '/',
'domain' => '.mysite.com.co',
'secure' => 1,
'httponly' => 0,
'samesite' => 'None'
]);
The response seems okay:
HTTP/1.1 200 OK
Date: Thu, 04 Nov 2021 16:22:57 GMT
Server: Apache/2.4.41 (Ubuntu)
Strict-Transport-Security: max-age=63072000
Access-Control-Allow-Origin: https://admin.mysite.com
Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, accept, authorization, client-security-token, Cache-Control, X-Mashape-Authorization
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Expose-Headers: Content-Security-Policy, Location
Access-Control-Max-Age: 1000
Upgrade: h2
Connection: Upgrade, Keep-Alive
Set-Cookie: PHPSESSID=hash; expires=Fri, 05-Nov-2021 02:22:57 GMT; Max-Age=36000; path=/; domain=.mysite.com; secure; SameSite=None
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Access-Control-Allow-Credentials: true
Content-Length: 549
Keep-Alive: timeout=5, max=100
Content-Type: text/html; charset=UTF-8
But the cookie is not stored. However, it is stored if I make the request from api.mysite.com/testCookies to api.mysite.com/login so it seems to be a domain/site problem (maybe CORS?)
I will appreciate any guidance on this topic.
Same answer as here. The keypoint is the usage of withCredentials property. Not sure though, why do I have to send them even if the cookies are originated on subdomain A and set on subdomain B.
I've been trying using axios from Vue calling to my API in lumen but it sends options method in place of post because of CORS.
Here is my request details
General
Request URL: http://192.168.1.100/lv_api/code/login
Request Method: OPTIONS
Status Code: 405 Method Not Allowed
Remote Address: 192.168.1.100:80
Referrer Policy: no-referrer-when-downgrade
Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token, X-
Requested-With
Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin: http://192.168.1.100:8000
Allow: POST
Cache-Control: no-cache, private
Connection: close
Content-Type: text/html; charset=UTF-8
Date: Wed, 03 Oct 2018 06:22:56 GMT
Server: Apache/2.4.18 (Ubuntu)
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Connection: keep-alive
Host: 192.168.1.100
Origin: http://192.168.1.100:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Tried setting headers but I am not sure about the proper values to be set for the issue.
If I create a method for Options request in my API it works fine but that's not the proper solution to this.
Thanks in advance.
Resolved the issue just by adding following lines in my api code
header('Access-Control-Allow-Origin: your origin');
header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Max-Age:86400');
header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token, Accept, Authorization, X-Requested-With');
you can install spatie/laravel-cors for resolve this issue
just wanted to find a solution to this. I am within System A and I make the following call
$("#page-form").submit(function(event){
$.ajax({
type: "POST",
url: "https://someOtherUrl/process.php",
data: {
'mobNumber': $("#mobile").val()
}
}).done(function (response) {
alert(response);
});
})
Now this makes a call to a PHP file on another server. This PHP file does nothing at the moment, I simply have
<?php
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: PUT, GET, POST");
header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept");
var_dump("1");
However I am getting a cross origin request blocked error. Why would this be happening?
As a side note, I have no access to the server running System A, so it has to be done on my server where the PHP file sits.
Thanks
Update
Server seems to have this
Response headers
Cache-Control no-cache
Connection Keep-Alive
Content-Type text/html; charset=utf-8
Date Thu, 25 Jun 2015 12:31:50 GMT
Expires Thu, 25 Jun 2015 12:31:50 GMT
Keep-Alive timeout=5, max=99
Pragma no-cache
Server Apache
Transfer-Encoding chunked
Vary Accept-Encoding
x-ua-compatible IE=edge
Request headers
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language en-US,en;q=0.5
Connection keep-alive
User-Agent
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Try this in the .htaccess file present at the root folder on https://someOtherUrl/ :
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
I am trying to load data into a jQuery dialog via ajax but the request is failing in Firefox (34.0.5). Works fine and I get no complaints in Chrome and Safari.
My apache conf contains:
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods: "PUT, GET, POST, DELETE, OPTIONS"
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept"
The jQuery is simply:
$('#dialog').load('example.php', function() { $('#dialog').dialog('open'); });
Firefox responds with the following console error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://www.example.com/example.php. This can be fixed by moving the resource to the same domain or enabling CORS.
Inspecting the response headers from the ajax request they all seem to be intact and inline with what's declared in apache. Should I be including some other directive or changing the configuration in some way for this to work?
UPDATE: At the root of the issue is the fact that I'd like both example.com and www.example.com to function the same. The site in question always has a tag in the header <base href="www.example.com" /> in both instances as this is part of the default site framework. I've since discovered that removing this link allows the ajax request to work on example.com, even when it still specifically calls a resource from the www subdomain.
Interestingly, many aspects of the request and response headers change when this tag is removed. For anyone who might have a clue about the implications here I'm pasting both the request and response headers below.
Here are the headers with <base> tag removed. In this case the ajax call was successful:
RESPONSE
HTTP/1.1 200 OK
Date: Sun, 18 Jan 2015 22:11:04 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.5
Set-Cookie: PHPSESSID=xxx; path=/; HttpOnly
language=en; expires=Tue, 17-Feb-2015 22:11:04 GMT; Max-Age=2592000; path=/; domain=www.example.com
currency=CAD; expires=Tue, 17-Feb-2015 22:11:04 GMT; Max-Age=2592000; path=/; domain=www.example.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, public
Pragma: no-cache
Content-Encoding: gzip
access-control-allow-methods: PUT, GET, POST, DELETE, OPTIONS
access-control-allow-origin: *
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept
Content-Length: 1515
Connection: close
Content-Type: text/html; charset=utf-8
REQUEST
GET /example.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:34.0) Gecko/20100101 Firefox/34.0 FirePHP/0.7.4
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://example.com/
Origin: http://example.com
x-insight: activate
Connection: keep-alive
Cache-Control: max-age=0
And here are the headers with the <base> tag intact. These headers reflect the scenario where the ajax call failed. It's worth noting that the 'Location' field in the response header says 'https' even though this was not happening over an https connection:
RESPONSE
HTTP/1.1 302 Found
Date: Sun, 18 Jan 2015 22:12:26 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.5
Set-Cookie: PHPSESSID=xxx; path=/; HttpOnly
language=en; expires=Tue, 17-Feb-2015 22:12:26 GMT; Max-Age=2592000; path=/; domain=www.example.com
currency=CAD; expires=Tue, 17-Feb-2015 22:12:26 GMT; Max-Age=2592000; path=/; domain=www.example.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, public
Pragma: no-cache
Status: 302
Location: https://www.example.com/index.php
access-control-allow-methods: PUT, GET, POST, DELETE, OPTIONS
access-control-allow-origin: *
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept
Content-Length: 0
Connection: close
Content-Type: text/html
REQUEST
OPTIONS /example.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:34.0) Gecko/20100101 Firefox/34.0 FirePHP/0.7.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: http://example.com
Access-Control-Request-Method: GET
Access-Control-Request-Headers: x-requested-with
x-insight: activate
Connection: keep-alive
Cache-Control: max-age=0
According to MDN, you can't use the wildcard for "credentialed requests", so maybe your request falls in that category.
I am using php curl to view this webpage remotely http://agentnet.propertyguru.com.sg/ex_login?w=1&redirect=/ex_home
The page redirects to another page /distil_identify_cookie.html?uid=... before redirecting back to the initial login page
I have set the following in my curl script
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, FALSE);
This did not stop the page from redirecting.
Can anyone advise how I can store this $_GET variable "uid" in a cookie before the page redirects?
Add:
After executing the curl statements ($response = curl_exec($ch);), $response is as per below
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Jul 2014 08:47:32 GMT Content-Type: text/html
Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache
Set-Cookie: PHPSESSID2=94l8r0sainetrrc3vl0r7dl2f4; path=/; domain=.propertyguru.com.sg
Set-Cookie: __PAGE_REFERRER=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=agentnet.propertyguru.com.sg
Set-Cookie: __PAGE_SITE_REFERRER=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=agentnet.propertyguru.com.sg
Vary: Accept-Encoding X-Distil-CS: MISS
I cannot find anything in the header stating the uid value...
You can set both CURLOPT_FOLLOWLOCATION and CURLOPT_HEADER to TRUE. This way, in the final result you`ll have the headers for all redirects that happen during your request. Then, you can parse the headers to get the info you need.