Ok I guess this question may be similar to other in the "remote cookies" kind, but I'm not sure that other answers I've read are applied to my case anyway, so here we go.
I have two applications, a client and a server. The server "has" (I know they're actually stored client-side) a cookie and a page which uses it to print out a computed data based on the cookie.
If I access the server page directly, the cookie is taken into account and the data is output correctly.
If I call the same server page from the client via a file_get_contents() the cookie on the server page doesn't get read, and I get an answer computed with an empty cookie.
How to make the server read its own cookies when answering a similar request? Is cURL the only option?
You need to:
Make a request that gets a Set-Cookie header in the response (assuming the cookies are HTTP cookies and not JS cookies)
Store the cookies
Include the cookies in the HTTP request to the page that displays them
cURL is probably the sanest way to go about dealing with being an HTTP client in PHP when you need to pay attention to the headers. Another question gives some guidance about how to go about doing that.
Note that there is no way to send the cookies that the browser accessing your PHP script would sent to the remote server. They are a secret that belong to the browser and that server and will not be shared with your server.
Related
Is it possible to read the cookies that are sent by a third-party homepage using php?
In concrete, i want to find out if a page using GTM does also set .ga cookies.
I was thinking of a "virtual browser" solution on the server, is that possible / is anybody experienced with that?
Thanks!
No, because PHP runs on the server and gets only the cookies of that domain
Cookies are stored on the client (browser). PHP is executed on the other side. The cookies are stored in the browser and the browser sends the cookie values along with the HTTP request to the server.
Therefore, the PHP process only gets to see the cookies of that domain.
And if you think of it, everything else would be a security flaw because every site could read for example secrets of sessions that are open on another site!
I'm learning about Laravel passport package and creating a SPA using Vue.js to test it, I'm wondering about saving the Token in the client browser, If I saved it on local storage it would be accessible from Javascript and anyone run js on the browser would be able to read it !
My questions are; What is the solution for this situation ?
If I saved the token in the cookies It would be accessible too, and I read about httpOnly cookies, so How can I set the cookies to save the token from the response from the API if it's not accessible by Javascript ?
Is there a way to save the cookies from the API ?
I hope I can find answers for my Questions.
Well, there are a couple of things to understand here.
HTTP only cookie
First, HTTP cookies are set by the server using set-cookie header. In this case, you as a developer need not do anything. The browser will automatically set it for you and will send back to the server on each Ajax or non-ajax requests. It will send the cookie as long as it is not expired.
LocalStorage
When using LocalStorage for storing the token, any JavaScript code can read it (known as XSS attack if misused). But, the key thing to understand here is that other domain's JavaScript code cannot read the LocalStorage. The scope is restricted to your own site. Other website's JS cannot read it. So, if you are not using any external dependency or compromised CDN, you are safe.
Cross-site cookie
No. It is impossible to set a cross-domain cookie under any circumstances. Only other domain's server can set a cookie for itself (Unless you have some backend mechanism like Gmail + Youtube to share session). However, in case of a subdomain, the following things are allowed:
Parent domain can set a cookie for any child domain. That is example.com can set a cookie for *.example.com.
Child domain can set a cookie for the parent domain. That is xyz.example.com can set a cookie for example.com.
Of course, the rules are more complicated than that. This article should help you understand further.
As of current, are there still any methods to spoof HTTP referer?
Yes.
The HTTP_REFERER is data passed by the client. Any data passed by the client can be spoofed/forged. This includes HTTP_USER_AGENT.
If you wrote the web browser, you're setting and sending the HTTP Referrer and User-Agent headers on the GET, POST, etc.
You can also use middleware such as a web proxy to alter these. Fiddler lets you control these values.
If you want to redirect a visitor to another website and set their browser's referrer to any value you desire, you'll need to develop a web browser-plugin or some other type of application that runs on their computer. Otherwise, you cannot set the referrer on the visitor's browser. It will show the page from your site that linked to it.
What might be a valid solution in your case would be for you to load the third party page on the visitor's behalf, using whatever referrer is necessary, then display the page to the user from your server.
Yes, the HTTP referer header can be spoofed.
A common way to play with HTTP headers is to use a tool like cURL:
Sending headers using cURL:
How to send a header using a HTTP request through a curl call?
or
The cURL docs:
http://curl.haxx.se/docs/
Yes of course. Browser can avoid to send it, and it can be also "spoofed". There's an addon for firefox (I haven't tried it myself) and likely you can use also something like privoxy (but it is harder to make it dynamically changing). Using other tools like wget, is as easy as setting the proper option.
I am doing authentication for a web service in php. When a user authenticates a session is generated. Eventually this session expires and the user needs to authenticate again. The authentication information is sent in the http headers.
But it seems that sometimes the variable $_SERVER (or apache_request_headers()) return some headers that are not being sent by the client in the current request (they were sent in previous requests). For instance sometimes I get the variable $_SERVER['HTTP_RESPONSE'] filled with information from previous requests.
Is it normal for $_SERVER or apache_request_headers() to 'persist' across requests?
It depends on whether or not you're using a browser to access the script.
Your 'persistent' headers are probably due to browser caching, but even then I'm not entirely sure what is happening. I've tried running a few tests using Fiddler, but couldn't replicate the problem.
Maybe try clearing your cache, as different headers might have been stored from previous versions of the script.
But, I would definitely avoid sending authentication params in the headers. Unless you're using HTTPS, they're liable to be sniffed and stolen. Why are you using headers?
$_SERVER contains information about the server, it doesn't necessarily contain any request/response information, it's persistent across the server life-time (eg, the SERVER_NAME will persist, but has nothing to do with the REQUEST/RESPONSE)
apache_request_headers() contains an array of headers which were sent, those may or may not include any cookie and session information - they are dependent on the client which you're using to access the server.
the only thing which persists across requests, it $_SESSION, because everytime you're accessing the $_SESSION superglobal, it fetches the session information which was saved on the file system (basic PHP implementation), some frameworks persist the session in the database (such as Yii).
I'm assuming you want to create a request header based authentication, so what you need to actually do, is parse the request_headers, match those against a legal user credentials, and simply open_session(); and put a value in the session which will mark the user as authenticated, any subsequent check, will be made against the $_SESSION superglobal, or against some other-implementation of sessions.
Is that possible that with cURL not every user use the same cookie?
Because it's cool that I store the cookie that I get, but this cookie will be used by everybody, and it should be, because it's a login cookie.
Charlie
Here's a really basic overview of how cookies work
Client (browser) makes request
Server sees request and asks "hey, did this client send me a cookie?"
Server doesn't see a cookie, so it does some stuff, and then sends back a response, with a cookie
Client (browser) sees the response and says "hey look, a cookie for me, I better save this"
The next time the client makes a request to that same server, it sends along that same cookie
Server sees the request and asks "hey, did this client send me a cookie?"
Server sees the cookie this time, and does some different stuff because of what's in the cookie, and then sends back a response, with a cookie
Client (browser) sees the response and says "hey look, a cookie for me, lets update the one I have"
It sounds like the problem you're running into is you have multiple curl requests running from the same machine, but you want each one to use a different cookie file.
You should be able to achieve this by using the following two curl options
CURLOPT_COOKIEJAR //tells curl which file to save the cookie from the server in
CURLOPT_COOKIEFILE //tells curl which file to look in and send as the request cookie
If you setup a system so that each different curl request is setting a different path value for these two options, you should be set.
Your question is unclear, do you want all user to use the same cookie or not ? What is an user in your case, a visitor on your website ?
In any case, you can set which file curl will use to save/load its cookies using curl_setopt and the CURLOPT_COOKIE* constants.