I am creating a soap server in codeigniter using php native soap server class.
The soap server is working great but I have a problem with the codeiginter session cookie. The session cookie is being sent with every response from the soap server. I need the session cookie for other parts of the application excluding the soap server.
Is there a way I can disable the session cookie just for the soap server which is a controller in the application?
I have searched stackoverflow and other website for information but have not found anything useful.
It may be I am missing something obvious.
Please point me in the right direction.
Edit:
this is the http response for the soap request:
HTTP/1.1 200 OK
Date: Fri, 10 Jan 2014 07:05:56 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 PHP/5.3.3
X-Powered-By: PHP/5.3.3
Set-Cookie: fgdstagecookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22076ceb992c6dff61e46d04d0c3d73d03%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%22116.90.236.34%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A34%3A%22Apache-HttpClient%2F4.1.1+%28java+1.5%29%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1389337556%3B%7D7e8bb59c2753934d5a6265ab7964064c; path=/
Content-Length: 382
Cache-Control: no-store, no-cache, must-revalidate, private, max-age=0
Pragma: no-cache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Connection: close
Content-Type: text/xml; charset=utf-8
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><ns2:responseType xmlns:ns2="http://tempuri.org/response"><code>4</code><message>transaction does not exist or is not available</message><responseBody><responseStr>4</responseStr></responseBody></ns2:responseType></SOAP-ENV:Body></SOAP-ENV:Envelope>
The part I want to remove is the Set-Cookie part.
Before returning the response or request use the header_remove(); function
Reference
http://www.php.net/manual/en/function.header-remove.php
<?php
header("X-Foo: Bar");
header("X-Bar: Baz");
//remove specific header
header_remove("X-Foo");
//remove all headers
header_remove();
?>
Related
I am trying to send an AJAX-request from a page hosted on Github Pages (with https) to a php script hosted on a different domain (also https).
This is the code I am using in my AngularJS controller (although I don't think that is the problem):
$http.get('//thorin.epizy.com/cors.php?url=Place%2FGetClosestPlacesExtension%3Fcoordinates%3Dx%3D'+Math.round(vm.coords[0])+'%2Cy%3D'+Math.round(vm.coords[1])+'%26proposals%3D12').success(function (data) {
vm.success = true;
console.log('Recieved data from Ruter:',data);
});
The request fails and gives this error in the console:
When opening the Network panel in Chrome I see that the CORS headers are not present:
However, when I visit the page directly in the browser (typing the url into the url field) and open the Network panel all the correct headers are present:
I have tried sending the request from pages on other domains as well, bu I get the same error and no CORS headers. This makes very little sense to me and I have no idea how to fix it. I would really appreciate any help.
For a strange reason, thorin.epizy.com/cors.php doesn't send CORS headers without cookies:
curl -I 'http://thorin.epizy.com/cors.php?[...]' <other headers>
Date: Sun, 04 Dec 2016 16:42:57 GMT
Content-Type: text/html
Content-Length: 920
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
With cookies, we get the correct headers:
curl -I -H 'Cookie: __test=b142b58439ba4f78e04c32cd1ba0a991' 'http://thorin.epizy.com/cors.php?[...]' <other headers>
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Dec 2016 16:45:04 GMT
Content-Type: application/json;charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Methods: GET, POST, PUT, OPTIONS
Cache-Control: max-age=0
Expires: Sun, 04 Dec 2016 16:45:04 GMT
When you do a cross site request and want cookies, you need to ask for them with withCredentials (withCredentials: true with angularjs).
Then, the server will need to change two things:
add Access-Control-Allow-Credentials: true in the response
change Access-Control-Allow-Origin: * to Access-Control-Allow-Origin: your-web-site.com (usually taken from the Origin request header)
If you don't you will get the following message:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at ‘http://thorin.epizy.com/cors.php?url=[...]’. (Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’).
I realise that this might be a VERY obscure question but it's driving me mad, I have 5 extra characters being inserted into the URL while navigating between the pages on my site. (eg. http://track.chhs.nsw.edu.au/UXTWP/userAccount.php?) The UXTWP is being added and I'm not sure where from but it is breaking the navigation randomly.
The site is hosted on goDaddy.
It contains HTML CSS PHP JavaScript and mySQL.
Everything was working well until I added a "fix" in PHP to stop a potential 'hack' that would use an id being passed in the URL to switch the viewed content.
I'm not sure this was the problem but that was the most recent change before the errors started occurring.
this is the site I also looked to place the code up on phpfiddle but I'm not sure what to add?
if(isset($_GET['a'])){
if(strpos($userRow['sID'], $_GET['a']) !== false) {
$_SESSION['student']=$_GET['a'];
$tempArray = db_select("SELECT * FROM student WHERE sID ='".$_SESSION['student']."'");
$studentRow = array_shift($tempArray);
$_SESSION['impactTool'] =$studentRow['impactAssToolID'];
$SName = $studentRow['sName'];
$SDOB = $studentRow['dob'];
$SFormDate = $studentRow['formDate'];
$prevInf = $studentRow['prevInfo'];
$famInf = $studentRow['famInfo'];
$contInf = $studentRow['contextInfo'];
$impactIDMsg = "?z=".$_SESSION['impactTool'];
$btnFlag = true;
}else{
header("Location:logout.php");
}
The intention is to dump the user back to the login screen via logout if they attempt to access a student's detail that doesn't belong to them.
Thanks in advance for any help provided.
Ok this time I think it is fixed!! Thank you so much #Progrock for your persistent testing and ideas.
The fix:
I have included a blank .htaccess file into the root of the site.
Now I can navigate through the different pages using the onsite navigation and the browser navigation and I can't create the error anymore.
I'm hoping that this is a permanent fix and my best guess is that it was the browser/server looking for the .htaccess file on particular triggers when not finding it looking to the server generic .htaccess file.
Hope this post helps someone in the future experiencing a similar problem.
Not an answer, but an observation:
I finally experienced the bug when using curl to view headers:
curl -I http://track.chhs.nsw.edu.au
Output:
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /TSXbZ/
Then shortly after, the same curl call resulted in the desired page without the redirect. So the bug is inconsistent, as you have said.
If I do a header location redirect in Php code. Or I use a .htaccess rule to do something similar: A return header reads something like this:
Server: Apache/2.2.22 (Foo)
The absence of an apache server header (for some of your responses) makes me suspicious that a proxy or caching layer may sit in front of your webserver and Php code.
Reading your code, I can't see any obvious reasons for the character insertions.
Notice subsequent differences with the following responses (return headers):
3:21% curl -I http://track.chhs.nsw.edu.au
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /XRjRZ/
3:23% curl -I http://track.chhs.nsw.edu.au
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /
3:24% curl -I http://track.chhs.nsw.edu.au
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /
3:24% curl -I http://track.chhs.nsw.edu.au/index.php
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /index.php
3:24% curl -I http://track.chhs.nsw.edu.au/index.php
HTTP/1.1 200 OK
Date: Fri, 02 Dec 2016 15:24:56 GMT
Server: Apache/2.4.23
X-Powered-By: PHP/5.4.45
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=60d307bdc288bf1371dc5e0c8c397cdf; path=/
Vary: User-Agent
Content-Type: text/html
Have you got an esoteric .htaccess, or server config?
I made a curl request to a PHP file on my server from my machine and it returns the following response.
HTTP/1.1 200 OK
Content-Length: 317
Content-Type: application/json
Server: Microsoft-IIS/7.5
Last-Modified: Wed, 19 Feb 2014 11:30:16 GMT
Via: 1.1 SC10100_83_75
Connection: keep-alive
Date: Wed, 19 Feb 2014 12:00:47 GMT
The problem is, this seems to be caching my request and is not returning the latest values. I suspect it is due to the Via header (read that it is about proxies). What is it and how can I remove it?
Looks like via - indicates that you have been routed via a proxy - however - this is information only - you need to make sure you caching headers are being set correctly so that the proxy takes the correct action.
Currently there is no caching headers being set on your request.
If you do not want it to be cached - then set the following header:
Cache-Control: no-cache
See http://www.w3.org/Protocols/HTTP/Issues/cache-private.html
I am trying to send a cross domain request from a page on one domain to a PHP server on an other domain. Everything works fine without credentials (I need a session) but as soon as I add credentials, it doesn't work.
Here is the JS code :
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://phpserver.net',true);
xhr.withCredentials = true ;
xhr.onreadystatechange = function(e) {
if (this.readyState == 4 && this.status == 200) {
alert(this.responseText);
}
}
xhr.send();
Please remember that it works without credentials. There is no alert.
So I inspected the network with Firebug:
The request is correctly handled by the server, it's received with an HTTP code 200 but there is no content.
I checked the headers :
HTTP/1.1 200 OK
Date: Fri, 14 Jun 2013 17:20:19 GMT
Server: Apache/2.4.2 (Win64) PHP/5.4.3
X-Powered-By: PHP/5.4.3
Access-Control-Allow-Origin: *
access-control-allow-credentials: true
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: key=441wqr3e4cf2456c763c1ea173aa06b5ad284e5f38; expires=Fri, 28-Jun-2013 17:20:19 GMT
key2=248fbaf41cdd698549fdddb341927885; expires=Fri, 28-Jun-2013 17:20:19 GMT
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
And finally my strangest discovery :
The header "Content-Length" actually shows the real content length! If I add an echo "foo", the content-length increase by three and so on.
I looked trough lots of questions but this one is really tricky and I can't find any solution.
EDIT :
I forgot to mention that this request works if instead of the xmlHttpRequest object I use a user-script and the GM_xhr function.
When setting headerAccess-Control-Allow-Credentials to true, you cannot use a wildcard for header Access-Control-Allow-Origin. That is, a specific host must be specified.
Instead of:
Access-Control-Allow-Origin: *
Use:
Access-Control-Allow-Origin: http://safedomain.com
You can even set the Access-Control-Allow-Origin header to the Origin header received in the request. Not sure about PHP, but using the Java Servlets API:
String origin = request.getHeader("Origin");
request.setHeader("Access-Control-Allow-Origin", origin);
I'm trying to use early flush with php5/apache2 to execute some code, render some json and after that executing another part of the code that take several second but doesn't produce any response.
The basic code so far is:
#apache_setenv('no-gzip', 1);
#ini_set('zlib.output_compression', 0);
echo 'Page loading'; // code to render;
ob_flush();
flush();
sleep(29); // LONG time code to execute
The previous example does not work. I mean it will echo 'Page loading' after 29seconds.
If I looked at the http response I have:
(Status-Line) HTTP/1.1 200 OK
Date Mon, 04 Jul 2011 19:49:19 GMT
Server Apache/2.2.11 (Win32) mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.3.0
X-Powered-By PHP/5.3.0
Expires Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma no-cache
Keep-Alive timeout=5, max=100
Connection Keep-Alive
Transfer-Encoding chunked
Content-Type text/html
My problem is not really why it doesnt work? but How can I checked where my string get buffered?
I know that there is different buffer:
- php output_buffer, php zlib.buffer
- apache mode_deflate / gzip
- browser buffering
All php output buffering are off, apache mode_deflate is activated but as you can see the transfer-encoding is "chunked".
I have no idea how to find out where is my problem, I'm using HttpFox to see the header and I try to get the content of the HTTP request, HttpFox say that the content is not ready until the 29seconds are done.
Any advice?
Hmm have you tried ob_get_level() ?
Marc B was right...
I had to make a loop of a 1000, with output_buffering activated
$var = 1000;
while(--$var)
echo 'Page loading'; // code to render;
To be able to see result before the sleep.
I have to to a loop of 100, with output_buffering = off to get the same result.