Is that possible that with cURL not every user use the same cookie?
Because it's cool that I store the cookie that I get, but this cookie will be used by everybody, and it should be, because it's a login cookie.
Charlie
Here's a really basic overview of how cookies work
Client (browser) makes request
Server sees request and asks "hey, did this client send me a cookie?"
Server doesn't see a cookie, so it does some stuff, and then sends back a response, with a cookie
Client (browser) sees the response and says "hey look, a cookie for me, I better save this"
The next time the client makes a request to that same server, it sends along that same cookie
Server sees the request and asks "hey, did this client send me a cookie?"
Server sees the cookie this time, and does some different stuff because of what's in the cookie, and then sends back a response, with a cookie
Client (browser) sees the response and says "hey look, a cookie for me, lets update the one I have"
It sounds like the problem you're running into is you have multiple curl requests running from the same machine, but you want each one to use a different cookie file.
You should be able to achieve this by using the following two curl options
CURLOPT_COOKIEJAR //tells curl which file to save the cookie from the server in
CURLOPT_COOKIEFILE //tells curl which file to look in and send as the request cookie
If you setup a system so that each different curl request is setting a different path value for these two options, you should be set.
Your question is unclear, do you want all user to use the same cookie or not ? What is an user in your case, a visitor on your website ?
In any case, you can set which file curl will use to save/load its cookies using curl_setopt and the CURLOPT_COOKIE* constants.
Related
We have our current website in PHP. We are currently upgrading it in Node. We will upgrade it step by step so we'll have some pages in PHP and some other in Node.
Problem is, when users will connect we have to make sure they have a session in both PHP and Node, so they won't have to connect twice.
In PHP we create a PHPSESSID cookie and we store all the data in a session file in /tmp.
In Node we use a JWT token.
What i am trying to achieve right now is: when and user connects with a page that runs on Node, it has to create a PHPSESSID cookie and the session file, so when he will navigate to another page that runs on PHP he will still be connected.
The PHP website and the Node API have the same domain but run on a different port.
Right now what my code does is:
I call the signIn function from the Node API
It creates the JWT token and the user is connected properly in Node
I call the PHP website like this: http://www.mysite.local/ajax/login?user=user&pass=pwd
It creates the session file correctly
It creates the PHPSESSID cookie
But when i check the cookies of my domain, the PHPSESSID doesn't appear. But it does after i create it and print $_COOKIE in PHP.
And because of that PHP can't find any PHPSESSID cookie and can't access the session file.
I'm using Node with GraphQL and Apollo, and PHP with Zend Framework 1.12
Here is how i call PHP with Node:
const url = `http://www.mysite.local/ajax/login?email=${data.email}&password=${data.password}`
const headers = {
Referer: 'http://www.mysite.local/auth'
}
await fetch(url, { method: 'GET', headers: headers })
The sessions in PHP are managed by Zend
I'm testing on Firefox.
HTTP cookies work like this:
The client sends an HTTP request to the server
The server responds with an HTTP response which includes a Set-Cookie header
The client then stores the cookie
Later on, the client sends another HTTP request to the same server. Since it has a stored cookie, the cookie is including in the request headers.
Browsers will, in general, automatically store cookies. (There are some edge cases, like Ajax requests only handling cookies in cross-origin requests if withCredentials is enabled).
Server-side code will, in general, not automatically store cookies. When dealing with server-side code you usually need to explicitly deal with cookies, usually by configuring a cookie jar library (e.g. fetch-cookie).
You are making an HTTP request from the browser to Node.js.
Node.js is making an HTTP request to PHP.
PHP is responding with a cookie (I assume)
Node.js is ignoring the cookie
Node.js is making an HTTP response to the browser
The browser gets the HTTP response (with no Set-Cookie header in it).
At no point does Node.js either read the cookie from the request it made to PHP or copy that cookie in the response it makes to the browser.
That is what you need to do.
(And then you'll need to continue to proxy requests to the PHP through the Node.js because the cookie stored in the browser would be associated with the Node.js server).
php.net specifies that
'HTTP_REFERER' The address of the page (if any) which referred the
user agent to the current page. This is set by the user agent. Not all
user agents will set this, and some provide the ability to modify
HTTP_REFERER as a feature. In short, it cannot really be trusted.
My question is if the redirect is happening on the server level, who's considered the UserAgent? and how do i make sure referrer info is sent with a 301?
ex.
i have page mywebsite1.com/page, which i 301Redirect to mywebsite2.com/page
now when it goes to my mywebsite2.com/page, i cant see no referrer info, and im wondering who sets this info!
The "user agent" is the client sending HTTP requests to an HTTP server. In most cases, the user agent is a web browser, but the term is more general to include things like automated scripts.
The key misunderstanding in your question is that a redirect doesn't "happen on the server level". What happens is this:
The user agent sends an HTTP request to the server for a URL.
The server responds with an HTTP response, with the "status" line set to "301" (or one of the other "redirect" statuses), and a "Location" header containing a new URL.
The user agent probably sends a second request to the server, for the new URL.
The server receives the second request and has no way of knowing if it was connected with the first request.
The "referer" header (the misspelling is historical, and now officially "correct") is just part of the information sent by the user agent with each request. (Importantly, like everything in the request, it cannot be trusted for any kind of security purpose, because someone can write a request with any value they want.)
The RFC section on the Referer header doesn't specify its behaviour very closely, and I can find no reference there to how it should be populated after a redirect response. As such, different user agents may behave differently, and you would need to test in different browsers to be sure.
Relying on referrer alone is not reliable at all, since browsers can omit providing that, depending on the user's privacy settings, installed plugins or even browser settings.
The best way to detect users coming from your redirect is just redirecting them to something like mywebsite2.com/page?redirected_from=mywebsite1, and look for that query string on your page located on mywebsite2.com.
Hope this makes sense.
The User Agent is whatever entity is making the HTTP requests, it may be a browser, an internal library used by a server application which acts as a client and makes requests, a proxy server forwarding requests to other address or services.
There is no guarantee that referrer will be forwarded to the destination server. In a proxy for example you have to instruct it to forward the referrer header to the destination server (often at configuration level). In a similar manner you should check that the whoever is responsible for handling the redirect forwards the referrer header to the following request (the destination of the redirect).
If you are using Guzzle to handle the redirects then you should look to Guzzle docs to automatically add the header to the requests.
If Apache is responsible to handle the redirects you should intervene to set the header within the webserver configuration, in this SO answer you can find a way to set Headers programmatically while redirecting.
I was wondering if there was a way to force an iOS device to login to a php page each time they send a request to the page.
Currently, after I log in the first time, I have to restart the application to force it to ask for credentials to be sent again. I have tested this behaviour with a webpage, and after the login prompt shows and I enter the password correctly, I do not have to enter it until I restart the browser and go to the page again.
I was wondering if there is any way to change this behaviour either server or client side to force the server to request credentials every time a request is sent.
If information about being logged in are stored in session (which I think it is - but it depends on application) you can f.e. reset session after each request.
In other words: run same action that will be run when user is logging out, but after every request.
As much as Esse's answer is good for server side, I found an easier workaround client-side, setting the NSURLCredential storage to NSURLCredentialPersistenceNone. This stops the phone from storing the basic auth credentials. As this site is not intended to be used by browser's this is a decent work around
Ok I guess this question may be similar to other in the "remote cookies" kind, but I'm not sure that other answers I've read are applied to my case anyway, so here we go.
I have two applications, a client and a server. The server "has" (I know they're actually stored client-side) a cookie and a page which uses it to print out a computed data based on the cookie.
If I access the server page directly, the cookie is taken into account and the data is output correctly.
If I call the same server page from the client via a file_get_contents() the cookie on the server page doesn't get read, and I get an answer computed with an empty cookie.
How to make the server read its own cookies when answering a similar request? Is cURL the only option?
You need to:
Make a request that gets a Set-Cookie header in the response (assuming the cookies are HTTP cookies and not JS cookies)
Store the cookies
Include the cookies in the HTTP request to the page that displays them
cURL is probably the sanest way to go about dealing with being an HTTP client in PHP when you need to pay attention to the headers. Another question gives some guidance about how to go about doing that.
Note that there is no way to send the cookies that the browser accessing your PHP script would sent to the remote server. They are a secret that belong to the browser and that server and will not be shared with your server.
so what i am trying to do is this:
login to the other server with a PHP on my own server (either with my username and pass/or with my cookies)
then have access to the page i want to display/download
i want to write a PHP script that is located on my own server, that automatically does a login to another server, that uses HTTPS and a web form for login.
after the login i have access to that page that i am trying to download.
i dont know if it would be possible to login and download the html only with the cookies that i have in my browser through a previous login, or if i need to do the login in my php script through some https login method.
can i do any of this with curl or fsocksopen or what would be the best way to realize this?
thanks in advance!
you just have to try. in most cases you should be fine if you export your cookies and use them in your curl request.
however the website mave hashed the cookies with the remote address, or given a timeout on them.
then you probably have to login from the server. with php / curl you can do that all.
the only thing that may be a problem is javascript/captcha codes.
in addition you should definately check zend http client, it has functionalities that makes "browsing" easy. for example saving cookies and automatically passing them on in the next request and also deleting them if the server tells you so etc.
Use the PEAR HTTP Request class.