Im using FireFox's HTTP Live headers to view the headers.
I wrote a script at mydomain.com that just sets a test cookie.
I thought that when we send a request to a naked URL, http://mydomain.com/script.php, cookies are sent across to all sub-domains.
But when I sent a request to http://www.mydomain.com/script.php, the cookie wasnt sent in the header request by the browser. How come ?
http://mydomain.com/script.php
GET /script.php HTTP/1.1
Host: mydomain.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.8pre) Gecko/20100710 Ubuntu/9.10 (karmic) Namoroka/3.6.8pre
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 16 Jul 2010 00:08:11 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Set-Cookie: UserID=23; expires=Fri, 16-Jul-2010 01:08:11 GMT; path=/
Content-Encoding: gzip
----------------------------------------------------------
http://www.mydomain.com/script.php
GET /script.php HTTP/1.1
Host: www.mydomain.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.8pre) Gecko/20100710 Ubuntu/9.10 (karmic) Namoroka/3.6.8pre
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 16 Jul 2010 00:08:24 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Set-Cookie: UserID=23; expires=Fri, 16-Jul-2010 01:08:24 GMT; path=/
Content-Encoding: gzip
----------------------------------------------------------
Is it that the newer browser aren't sending the headers like before ?
Add the domain option, domain=.mydomain.com. This corresponds to the domain parameter of setcookie, and this is explained there:
"To make the cookie available on all
subdomains of example.com then you'd
set it to '.example.com'."
Related
I'm using one of the WooCommerce Appointment plugin and it's causing a 500 internal error.
It seems the Modsecurity intercepts the http access but I don't know what's wrong in the following log.
--a7316b05-A-- [02/Dec/2020:01:37:02 +0800] X8Z-PAqMAA4AAAp171YAAAAE 210.242.3.205 53878 10.140.0.14 443
--a7316b05-B-- GET /wp-admin/admin.php?post_type=wc_appointment&page=appointment_calendar&calendar_month=12&view=month&tab=calendar&filter_appointable_product=&filter_appointable_staff=&calendar_month=11&calendar_year=2020
HTTP/1.1 Host: homie.tw Connection: keep-alive
Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel
Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/86.0.4240.198 Safari/537.36 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User:
?1 Sec-Fetch-Dest: document Referer:
https://homie.tw/wp-admin/admin.php?page=appointment_calendar&calendar_year=2020&calendar_month=12&view=month
Accept-Encoding: gzip, deflate, br Accept-Language:
zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7,ja;q=0.6,zh-CN;q=0.5 Cookie:
wordpress_sec_39c5768458d20eee442b5f013f95c6e4=chihao.weng%40gmail.com%7C1606879569%7CIYBGng45F7DiEjkIlD5y2rCpJPu7QdupcJsax3TNQmT%7C99241b7eeb1b6d93b810479b22b84ecc4ff13e5394d5798b59840f4f759f649d;
mp_a36067b00a263cce0299cfd960e26ecf_mixpanel=%7B%22distinct_id%22%3A%20%221736f1935d51cd-0a84c5198fb224-31617402-fa000-1736f1935d6df1%22%2C%22%24device_id%22%3A%20%221736f1935d51cd-0a84c5198fb224-31617402-fa000-1736f1935d6df1%22%2C%22%24initial_referrer%22%3A%20%22https%3A%2F%2Fhomie.tw%2Fwp-admin%2Fplugins.php%22%2C%22%24initial_referring_domain%22%3A%20%22homie.tw%22%7D;
_ga=GA1.2.332580245.1599972620; energyplus-u=8d66286c0cdf0413991242985d297257;
wordpress_test_cookie=WP%20Cookie%20check;
tk_ai=woo%3ADAEy5asYphPD0Q3i1p5KUhdQ;
woocommerce_recently_viewed=1106%7C1433%7C1104%7C1105%7C1103%7C1101;
wordpress_logged_in_39c5768458d20eee442b5f013f95c6e4=chihao.weng%40gmail.com%7C1606879569%7CIYBGng45F7DiEjkIlD5y2rCpJPu7QdupcJsax3TNQmT%7C0af3928e6a5cc78caf2d4fc871526abac2817b1604d085a887e9f81a7bc76fe2;
wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce%26hidetb%3D1;
wp-settings-time-1=1606706772; woocommerce_items_in_cart=1;
woocommerce_cart_hash=0737a3efd621083e63e459451c8eb2b8;
wp_woocommerce_session_39c5768458d20eee442b5f013f95c6e4=1%7C%7C1606879577%7C%7C1606875977%7C%7Cf29b691703754018bf8562fa8f40249c
--a7316b05-F-- HTTP/1.1 500 Internal Server Error Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN Referrer-Policy:
strict-origin-when-cross-origin Content-Length: 2789 Connection: close
Content-Type: text/html; charset=UTF-8
--a7316b05-H-- Apache-Handler: application/x-httpd-php Stopwatch: 1606844220929440 1447814 (- - -) Stopwatch2: 1606844220929440 1447814;
combined=9964, p1=429, p2=8091, p3=65, p4=1265, p5=113, sr=13, sw=1,
l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity
for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache Engine-Mode: "ENABLED"
--a7316b05-Z--
I use redirects for all of my outbound links, which work fine with the exception of Amazon.
BUT, if I have the actual Amazon link in the HREF it works fine.
Here is an example:
When I redirect the link in the HREF looks something like this:
http://domain.com/buy-web/1425
which goes via an internal PHP script that gets the actual Amazon link, which looks like:
http://www.amazon.com/gp/search?ie=UTF8&tag=AFF_ID&index=aps&linkCode=ur2&camp=CAMP&creative=CREATIVE&keywords=tory-burch-amanda-crossbody-bag
and does:
header('Location: ' . $outURL);
when I redirect I am sent to this page on Amazon instead of the right one:
http://www.amazon.com/ref=nb_sb_noss_null
I have double checked that $outURL has the right link in it.
Anybody got any ideas why?
Thanks everyone.
PS: Here are the raw headers:
http://andynew/buy-web/1026
GET /buy-web/1026 HTTP/1.1
Host: andynew
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: __atuvc=1%7C28; andynew=a%3A10%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%227cb2ce95595fdf811ba5e2163b5f1d24%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A81%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10.8%3B+rv%3A30.0%29+Gecko%2F20100101+Firefox%2F30.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1406480767%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22discount%22%3Bs%3A1%3A%220%22%3Bs%3A10%3A%22gridOrList%22%3Bs%3A4%3A%22grid%22%3Bs%3A11%3A%22displayData%22%3Bs%3A3%3A%22rel%22%3Bs%3A8%3A%22currency%22%3Bs%3A1%3A%22%24%22%3Bs%3A9%3A%22productId%22%3Bs%3A0%3A%22%22%3B%7D81d96834d2c29c51fc5169a3b4a3b489
Connection: keep-alive
HTTP/1.1 302 Found
Date: Sun, 27 Jul 2014 18:00:10 GMT
Server: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/0.9.8y DAV/2 PHP/5.4.4
X-Powered-By: PHP/5.4.4
Set-Cookie: andynew=a%3A10%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%227de1b339301f44415c2d6e9b6bb4123a%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A81%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10.8%3B+rv%3A30.0%29+Gecko%2F20100101+Firefox%2F30.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1406484010%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22discount%22%3Bs%3A1%3A%220%22%3Bs%3A10%3A%22gridOrList%22%3Bs%3A4%3A%22grid%22%3Bs%3A11%3A%22displayData%22%3Bs%3A3%3A%22rel%22%3Bs%3A8%3A%22currency%22%3Bs%3A1%3A%22%24%22%3Bs%3A9%3A%22productId%22%3Bs%3A0%3A%22%22%3B%7D576acce0b2310f850aea22ec8c28ae79; expires=Sun, 27-Jul-2014 20:00:10 GMT; path=/
Location: http://www.amazon.com/gp/search?ie=UTF8&tag=AFF-ID&index=aps&linkCode=ur2&camp=CAMP&creative=CREATIVE&keywords=ugg-classic-bow-shorty-womens-sized-accessory-grey
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
----------------------------------------------------------
http://www.amazon.com/gp/search?ie=UTF8&tag=AFF-ID&index=aps&linkCode=ur2&camp=CAMP&creative=CREATIVE&keywords=ugg-classic-bow-shorty-womens-sized-accessory-grey
GET /gp/search?ie=UTF8&tag=AFF-ID&index=aps&linkCode=ur2&camp=CAMP&creative=CREATIVE&keywords=ugg-classic-bow-shorty-womens-sized-accessory-grey HTTP/1.1
Host: www.amazon.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: session-id-time=2082787201l; session-id=185-3040520-0718910; ubid-main=184-2208389-3838529; session-token="Q34hrPBvyfBn/m8gsaJOC185MUqzRj+6pViKhkOotL7DNO+KI3+yGaNFG65xvuN79/agGpPsGKWGN5fDBbt+KAnyq++5PFQSpAkNQnMAsJwMqR+hNzNXYZYr/pwBLe5RbsEF3mjVsACMNNMuzeVKw1OXUhkSO4XNxp+Z6LtlmyWy62KX0x5Qnz2AWy+pgKVFjLfDmHQAe1RMt82gDA0hMbgBZB3dHrko1dKm9o8BZ6I="; x-main="4g66HOBViU1sjppUYDkyRt5qEx7xXo?2"; __utma=125759317.321611390.1405706148.1406480645.1406480704.15; __utmz=125759317.1406478568.13.11.utmccn=(referral)|utmcsr=amazon.com|utmcct=/ap/signin|utmcmd=referral; __utmv=125759317.AFF-ID; x-wl-uid=1eBl7bcTv1V/h74WHTIZP+Hvnsr/oVfw2gl4r2f4jsJRBO2JdOf8BaddaGBLw/itrjEKvX1dbb0YAZxGDfP8eBA==; s_pers=%20s_vnum%3D1408288972388%2526vn%253D1%7C1408288972388%3B%20s_invisit%3Dtrue%7C1405698772388%3B%20s_nr%3D1405696972390-Repeat%7C1413472972390%3B; s_fid=12639358825850B3-1B157A0114E15FF1; s_dslv=1396942038784; s_vn=1418980489687%26vn%3D4; aws-ubid-main=182-0303093-2027858; aws-x-main="?6#eyI2zA2v9U3hUThKr9ptYKZDEnL1u"; regStatus=registered; csm-hit=s-10PZ2HKQV6RQT3SNRG82|1406478566454; __utmc=125759317
Connection: keep-alive
HTTP/1.1 302 Found
Date: Sun, 27 Jul 2014 18:00:10 GMT
Server: Server
x-amz-id-1: 1ENW70JDY98QP5G7R23W
x-amz-id-2: Cgjt+l8Pxxwl5A0t0tAla6b7y5Yobfh45Yq+kRDS4BPgrqyzZMzUmI5YVe3zF4lQej9X7ieHSTw=
X-Frame-Options: SAMEORIGIN
Location: /ref=nb_sb_noss_null
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Set-Cookie: ubid-main=184-2208389-3838529; Domain=.amazon.com; Expires=Sat, 22-Jul-2034 18:00:11 GMT; Path=/
Vary: User-Agent
You aren't sending the URL you claim to be sending. All of your ampersands are being encoded as &, as if this were HTML. Stop doing that, and your problem will go away.
We couldn't tell you what part of your code is doing this unnecessary encoding, since the code you show in your question will not have this problem.
I'm testing my site where i use ob_gzhandler to compress output and got an interesting error. According to docs "If a browser doesn't support compressed pages this function returns FALSE".
Here is my test code:
<?php
$res = ob_start( 'ob_gzhandler' ) ;
echo 'My text' ;
var_dump( $res ) ;
I'm using ff5.0 and if i don't change any headers all works fine, here is the listing:
Live HTTP Headers ouput
http://tester.loc/ob-test/gz.php
GET /ob-test/gz.php HTTP/1.1
Host: tester.loc
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://tester.loc/ob-test/
Cache-Control: max-age=0
HTTP/1.1 200 OK
Date: Wed, 06 Jul 2011 10:37:45 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 126
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Script output:
My text
boolean true
But when i remove Accept-Encoding header, ob_gzhandler still returns true. Listing again:
Live HTTP Headers ouput
http://tester.loc/ob-test/gz.php
GET /ob-test/gz.php HTTP/1.1
Host: tester.loc
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://tester.loc/ob-test/
Cache-Control: max-age=0
HTTP/1.1 200 OK
Date: Wed, 06 Jul 2011 10:35:52 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 109
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Script output
My text
boolean true
So in both cases ob_gzhandler returns true though it supposed to be false in the second sample. Is it my misunderstanding or a bug?
Thanx in advance
It's the
ob_gzhandler()
function itself which will return false, this isn't what you are calling (directly).
ob_start() only returns false if the callback fails, I don't think that ob_gzhandler() returning false is the same as it failing.
Firebug shows a request which causes a huge delay to
http://reboltutorial.com/wp-content/themes/minaflow/none
Details below but I don't understand why it says it comes from xmlrpc and the stylesheet:
Date Sun, 04 Apr 2010 16:10:02 GMT
Server Apache
X-Powered-By PHP/5.2.13
X-Pingback http://reboltutorial.com/xmlrpc.php
Expires Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control no-cache, must-revalidate, max-age=0
Pragma no-cache
Set-Cookie wordpress_test_cookie=WP+Cookie+check; path=/; domain=.reboltutorial.com
Last-Modified Sun, 04 Apr 2010 16:10:03 GMT
Vary Accept-Encoding
Content-Encoding gzip
Keep-Alive timeout=2, max=94
Connection Keep-Alive
Transfer-Encoding chunked
Content-Type text/html; charset=UTF-8
RequĂȘtemise en page impression
GET /wp-content/themes/minaflow/none HTTP/1.1
Host: reboltutorial.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.2) Gecko/20100115 Firefox/3.6
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://reboltutorial.com/wp-content/themes/minaflow/style.css
1) Please remove SESSION_ID and all cookies from post (it's quote easy for hacker to access to your site with that)
2) In CSS you have 3 times next code:
background: url(none);
That's why it goes to 404 error!
My Browser isn't sending back an If-Modified-Since Header for PHP generated Content
on the first request my script sends:
(Status-Line) HTTP/1.1 200 OK
Date Thu, 21 Jan 2010 08:55:25 GMT
Server Apache/2.2.11 (Win32) PHP/5.2.9-1
X-Powered-By PHP/5.2.9-1
Pragma no-cache
x-ua-compatible IE=8;FF=3;OtherUA=4
Last-Modfied Sat, 02 Jan 2010 02:02:20 GMT
Content-Length 28453
Etag b98e0795b509be20146f58e06fbb624f
Keep-Alive timeout=5, max=90
Connection Keep-Alive
Content-Type image/png
it on the second request it sends:
(Request-Line) GET /kincumberunitingchurch/banner_image.php?id=1 HTTP/1.1
Host localhost
User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.17) Gecko/2009122116 Firefox/3.0.17
Accept image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 300
Connection keep-alive
Referer http://localhost/kincumberunitingchurch/index.php?sid=tgl9jq3f71nau3cj9vps6pna03
Cookie sid=tgl9jq3f71nau3cj9vps6pna03; PHPSESSID=m0jvven6d7l65pl6odm9ecfnt4
If-None-Match b98e0795b509be20146f58e06fbb624f
Cache-Control max-age=0
for other files the sever sends first:
(Status-Line) HTTP/1.1 200 OK
Date Thu, 21 Jan 2010 08:55:25 GMT
Server Apache/2.2.11 (Win32) PHP/5.2.9-1
Last-Modified Wed, 30 Dec 2009 02:40:58 GMT
Etag "1000000013d35-40d9-47be9117f6280"
Accept-Ranges bytes
Content-Length 16601
Keep-Alive timeout=5, max=84
Connection Keep-Alive
Content-Type image/png
and my browser send the following on the next request:
(Request-Line) GET /kincumberunitingchurch/img/cbuttons.png HTTP/1.1
Host localhost
User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.17) Gecko/2009122116 Firefox/3.0.17
Accept image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 300
Connection keep-alive
Referer http://localhost/kincumberunitingchurch/mystyle.css
Cookie sid=tgl9jq3f71nau3cj9vps6pna03; PHPSESSID=m0jvven6d7l65pl6odm9ecfnt4
If-Modified-Since Wed, 30 Dec 2009 02:40:58 GMT
If-None-Match "1000000013d35-40d9-47be9117f6280"
Cache-Control max-age=0
why would it send the If-Modified-Since header
Your first sended header reads "Last-Modfied", which is a typo (the first 'i' in Modified is missing).
can you look if the Last-Modfied inside the first example isn't a typo at the server side