I have some difficulties maintaining session on server request and response between initial server call and ajax call.
I am sending an ajax call after the server initial load to the same domain where am using sessions in both cases
The session cookie is not being set on server load (knowing that session_start() is called and the session has data) and it seems that it is being set twice on first ajax call:
Server Response of ajax call after page load
Set-Cookie: PHPSESSID=aef6668de2af148bcc3a3bd3de71f880; expires=Tue, 08-Mar-2016 07:38:43 GMT; path=/; domain=www.somedomain.com; secure; HttpOnly
PHPSESSID=aef6668de2af148bcc3a3bd3de71f880; expires=Tue, 08-Mar-2016 07:38:43 GMT; path=/
What actually triggers the server to send Set-Cookie header setting the session in cookie on server response?
Is it the session_start() or setting the $_SESSION with a given value at server side?
I know that session_set_cookie_params() also has this impact but can this in anyway create 2 consecutive set calls of the session if session_set_cookie_params() is called with session_start() in the same server response ?
Related
I have a Laravel APP deployed on Vapor(AWS Lambda). I am trying to send an API request to it from a React app running locally.
Below are the set-cookie headers from the API response.
XSRF-TOKEN=eyJpdiI6IlVSZGJrT2duOEo4dzFkaHNsb1pIS3c9PSIsInZhbHVlIjoiaXdlQmo2QmtsVjByUnFkREt1UE5XYWIvQTc1b3pVZlFLL09rWDhEY1FIL3JiYUg1Z2lBZUdQeVp1MEhyay80RG00SHJZNytSN1paZ0VKNjBBSzQxOEF6Y2tGSGF5SHZpa3QrbkVQWjErKzMzeXFJaUwrUTBqVi9iTklaRnBROXQiLCJtYWMiOiIzNTgxOGFiZGRkZTRlYTE5MzY1MDY4Y2UzMzA5YzdkYzk5NWUxMzdjMDdkMTY4NDI5YmFiNGQ4NTg4NGIzNTQxIiwidGFnIjoiIn0=; expires=Fri, 17-Sep-2021 16:00:35 GMT; Max-Age=7200; path=/; domain=localhost; samesite=lax
hylo_session=eyJpdiI6InEzK0Q3aytCWGM2T1dVSFdTSy80L2c9PSIsInZhbHVlIjoiYUpwd2tKV09GbTMrc2Z1WUdoM0hSc1V4TGFDQjR4elNxeFJudGpMMWM0M2kyUzZlY3JnNzRRc3BvRWk0S1J2S1RwOFRrSndzcFI2Vjh0c1Ewd1JiM1E5bHhXRDBkbnlLRlI4czdqTUsrRXViZXRHcUV2NklOekQvYk5iSWpraUQiLCJtYWMiOiI1OGExZGFiNzdkNzVlY2U3MjFkZGJjMTNjYTE3ZmVhYWQ4MjM5NzZkMDkxNWRkZDQ2Mjk4YTlhYTYzMTdlOGQ0IiwidGFnIjoiIn0=; expires=Fri, 17-Sep-2021 16:00:35 GMT; Max-Age=7200; path=/; domain=localhost; httponly; samesite=lax
Somehow the cookie is blocked. I am getting the following warning in the Network Tab:
The attempt to set cookie via set-cookie is blocked because its domain attribute is invalid with regards to the current host URL.
I am using Laravel Sanctum for Auth. Following are my env related to session:
SESSION_DRIVER=redis
SESSION_LIFETIME=120
SESSION_DOMAIN=localhost
SANCTUM_STATEFUL_DOMAINS=localhost:3000
CORS_ALLOWED_ORIGINS=http://localhost:3000
I even tried setting same_site value to none in sesison.php but it is still sending samesite as lax.
Any clue how to get this working?
I wrote a program that set a cookie. it work well in http mode, but when I use https protocol, header of cookie add automatically add secure flag to it.
set-cookie: val=is; expires=Sun, 16-Feb-2025 07:26:50 GMT; Max-Age=90000; path=/; secure
my code is:
<?php
header('Set-Cookie: val=is; expires=Sun, 16-Feb-2025 07:26:50 GMT; Max-Age=90000; path=/');
What makes this happen?
I happen to notice that when I make a request to my API (written in Laravel framework), there is Set-Cookie:
Set-Cookie: laravel_session=eyJpdiI6IlF5SDNLeGlRRTBFSlVJbXROSEZMWlE9PSIsInZhbHVlIjoiRlZXWVJrZERJN0tPRDU1TG40MGpJeURDQjRncUFYWGk4MjRBeFhMVHc3S2w5aW8yRFc1TCt4UWUzTEJnMTRpNkpYYkV6bnZ6Yk85RWF0MGIxaVhXYkE9PSIsIm1hYyI6ImRmNTc0MzRkZGM1ZDg0YWZkMWZjZThjOGI4Y2FlNTI2NjRhN2JjOGU0OTVkMWEwNTMwYTNlZmYxY2Y2ODNiMzkifQ%3D%3D; expires=Fri, 09-Jan-2015 20:49:47 GMT; Max-Age=7200; path=/; httponly
How can I get rid of it or block my Laravel API to not use it? It is possible can add a script in that laravel_session value.
Also, how do I avoid my app to consume the cookie set by the request?
You can disable session cookies for the whole application by changing the session driver to array
In app/config/session.php:
'driver' => 'array'
I have a page that is just:
<?php
session_start();
?>
The server response headers are showing:
HTTP/1.1 200 OK
Date: Fri, 01 Jul 2011 03:30:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=zOk****************; path=/
Content-Type: text/html
I was expecting a file in start/run/cookies something like:
user#mysite[1]
but there is none.
Why not?
My end point is to have the usual logged in / not logged in test for each page including the splash page ...
Session data is stored on the server and not on the client side.
To store session data on client you have to enable session.use_only_cookies.
Have a look at the PHP manual at http://php.net/manual/session.security.php
Thanks all for your help.
I downloaded a program called fiddler which enabled me to see the characters that were passed back and forwards between my server and my client.
I created a php file [A] on my server that contained only
session_start();
echo "<a href='/testsessstill.php'>test again</a>";
I created a php file [B] testsessstill.php that just echoed "hi"
I called A from my browser.
PHPSESSID=xxxx in Client Request Header? NO
PHPSESSID=xxxx in Server Response Header? YES
Cookie file in Client computers cookie folder? NO
File in server /tmp folder? NO
I called B from the link in A
PHPSESSID=xxxx in Client Request Header? YES
PHPSESSID=xxxx in Server Response Header? NO
Cookie file in Client computers cookie folder? NO
File in server /tmp folder? NO
I searched my client computer for the presence of the string "SESSID" in any file and none was found.
Therefore, my belief AND CORRECT ME IF I AM WRONG is as follows:
When session_start() is called it returns a SESSID to the client in the headers, the SESSID is retained and is associated with the site the session relates to in memory of the client and is not written to file on the client.
When a client request header arrives with a value in PHPSESSID in the request header the server reads it but does not retain that SESSID anywhere. The value for SESSID is only present in memory on the client. The server does not return the SESSID in the response header to the client. If a request arrives with a SESSID in the header then the server accepts it as the SESSID.
[Obviously the next step is setting values associated with the SESSID but it helped me at least to explore the above first. It will help understand security I think].
How'd I go? That all an accurate assessment?
A session consist of two components:
the actual session data on the server
a cookie with a session id on the client
When starting a session, the server creates a random file in a system directory (configurable via session.save_path option) in which it stores all the data you write into $_SESSION. It sends a cookie to the client with a random session id. This session id just by itself is worthless, it just helps the server associate a certain session with a specific client. The client returns this session id cookie to the server on subsequent requests, which the server picks up when calling session_start() to re-activate an already existing session.
There's no session data stored on the client, only the session id cookie.
How and where that cookie is stored depends entirely on the browser in use.
You need to call session_start() on every page you wish to use sessions.
Here is the header from firebug that shows the scope of the PHP Session cookie:
Set-Cookie PHPSESSID=f0e2dfe56cc78be718c8154ac80d1ae2; path=/; domain=pix-all.com
But still the PHP Session cookie is been sent for any requests to static.pix-all.com
Cookie PHPSESSID=f0e2dfe56cc78be718c8154ac80d1ae2;
What could be the problem?
If the cookie is set for the domain pix-all.com, then it will always be sent in requests to static.pix-all.com because static.pix-all.com is a subdomain of pix-all.com
So what is the problem? You're having issues because the cookie works as it's supposed to?