If I'm using PHP to perform a cURL POST to a remote server running code containing session_start(), is it possible to access session variables set on the local machine on the remote?
Unless you've got PHP trans_sid option turned on (BAD idea), POST has nothing to do with session values. That's mediated through a standard cookie.
Cookies are bound by same-domain security settings - they CAN be shared between hosts in the same domain (e.g. foo.example.com and bar.example.com), but an Amazon cookie cannot be shared with Yahoo.
No they do not. Even sending a session cookie, which you can do with cURL POST, will reference a session which exists only on the requesting server.
No.
The session variables are server-specific. They only cross to another server if the session ID were to be set correctly, and if they were using a shared session data-store, such as memcached.
Related
I am working on an PHP API application that will work an different domains (and hosted on different servers) that need to share user session. Let's say api.a.com and api.b.com.
Back end side, for me, storing session data using a session id key that can be fetch from multiple domain is the easy part.
My main concern is sending session id to both api.a.com and api.b.com. Native PHP session uses cookies to send session id for each request. Having different top level domain, the cookies will not be sent to all domains (unless I explicitly use Javascript to extract it and send it as a request header).
I thought about storing the session id inside the the Json Web Token data sent to the server, but somehow, it feels wrong.
Any thoughts on this?
Use a memcache server. PHP supports saving sessions in memcache.
With Amazon, I have a load balancer front with Linux instances, each connected to memcache.
Then I have a completely different EB application and domain that accesses the same memcache and pulls real time stats, so it's pretty easy to setup access to the same memcache server or cluster from different applications.
Note there's a difference between "memcache" and "memcached" -- either can be used, but they're different servers!
Use a memcache server. PHP supports saving sessions in memcache or mysql.
then use sessionid by http transport.
`
$sid = $_REQUEST['sid'];// receive sessionid
session_start();
session_id($sid); //reset current sessionid by $sid
var_dump($_SESSION["A_DOMAIN_SESSION"]);
var_dump($_SESSION["B_DOMAIN_SESSION"]);
?>`
I have a LAMP server. I have started playing around with php cookies and sessions inside my scripts. Is there any way to check what or how many and what type of session I have active? I am able to check if cookies are being deleted from client side but sessions are server side with only a token in the client side.
Is there a command of some sort that would allow me to view active sessions (amount, time, session info) connected to my server?
Thanks.
By default PHP stores session on disk. Go do your sessions directory and check the active sessions there.
The file name of the session directory is the session token and the data stored in the file is the session data.
i would like to know that when a session starts on server in PHP what actually happens SEQUENTIALLY on server and client side?
like when a page with some session values is accessed, will create a file on server first or it creates a cookie on client computer? and what if cookie is disabled on client machine?
Please let me know if someone has any comments on this.
Thanks!!
Session can't be disabled on client machine unlike cookies.
Manual on Session, Cookies and Session vs Cookies.
I am doing authentication for a web service in php. When a user authenticates a session is generated. Eventually this session expires and the user needs to authenticate again. The authentication information is sent in the http headers.
But it seems that sometimes the variable $_SERVER (or apache_request_headers()) return some headers that are not being sent by the client in the current request (they were sent in previous requests). For instance sometimes I get the variable $_SERVER['HTTP_RESPONSE'] filled with information from previous requests.
Is it normal for $_SERVER or apache_request_headers() to 'persist' across requests?
It depends on whether or not you're using a browser to access the script.
Your 'persistent' headers are probably due to browser caching, but even then I'm not entirely sure what is happening. I've tried running a few tests using Fiddler, but couldn't replicate the problem.
Maybe try clearing your cache, as different headers might have been stored from previous versions of the script.
But, I would definitely avoid sending authentication params in the headers. Unless you're using HTTPS, they're liable to be sniffed and stolen. Why are you using headers?
$_SERVER contains information about the server, it doesn't necessarily contain any request/response information, it's persistent across the server life-time (eg, the SERVER_NAME will persist, but has nothing to do with the REQUEST/RESPONSE)
apache_request_headers() contains an array of headers which were sent, those may or may not include any cookie and session information - they are dependent on the client which you're using to access the server.
the only thing which persists across requests, it $_SESSION, because everytime you're accessing the $_SESSION superglobal, it fetches the session information which was saved on the file system (basic PHP implementation), some frameworks persist the session in the database (such as Yii).
I'm assuming you want to create a request header based authentication, so what you need to actually do, is parse the request_headers, match those against a legal user credentials, and simply open_session(); and put a value in the session which will mark the user as authenticated, any subsequent check, will be made against the $_SESSION superglobal, or against some other-implementation of sessions.
Please tell me how apache server store each logged user's session details.
I have never heard of Apache storing any session details.
Apache is HTTP demon and HTTP is stateless protocol, with no session support.
You're probably talking of some language emulates stateful connection, using cookie or query string to pass a session identifier.
Basically in PHP Sessions, the server will use eithers cookies or URL rewriting.
If cookies are enabled, it will store
the sessionID in a cookie.
If cookies are disabled, it will pass
the sessionID using a parameters
(GET) by appending forms with a
hidden elements and links with the
ID.
PHP stores session data as text files on disk. The browser is then assigned a cookie which identifies which session that belongs to that browser.