Home > Mobile >  Fetch Api - how to send PHP SESSION data to the target PHP file?
Fetch Api - how to send PHP SESSION data to the target PHP file?

Time:12-13

I can't figure out why the Javascript Fetch API stubbornly refuses to keep my PHP session. Here is a minimal test:

loader.php

<?php
session_start();
$_SESSION['test'] = 'OK';
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title></title>
</head>
<body>
    <p>Origin session id is <?php echo session_id() ?></p>
    <div id="target"></div>
    <script>
        fetch('data.php', {
            method: 'get',
            credentials: 'include'
        }).then(response => response.text()).then((data) => {
            document.getElementById('target').innerHTML = data;
        }).catch(function (error) {
            console.log(error);
        });
    </script>
</body>
</html>

data.php:

<?php
session_start();

echo '<p>Target session id is ' .  session_id() . '</p>';
if (empty($_SESSION)) {
    echo '<p>session is empty</p>';
} else {
    echo implode('<br>', $_SESSION);
}

result:

Origin session id is abe10f9c611066f6400b2ce3d0ee8f97
Target session id is a68e76bf1d5180d79d27a2bcfa3c462c
session is empty

I found several similar questions/answers, but none of them helped. The suggested solution is to provide the Credentials option with 'include' or 'same-site', but none of them work.

I know that I can pass the session ID but if possible would like to avoid it.

Thanks for your help

CodePudding user response:

Is session.cookie_httponly enabled on the server ? If it is then that will prevent javascript calls from using the cookie (and generally speaking PHP sessions tend to be backed by a cookie). In the context of this setting, http-only implies "http/https allowed; javascript/webassembly/... denied".

You can probably see the current value with phpinfo();. or read more about it on php.net.

CodePudding user response:

I finally found the origin of the issue. This happened because I'm not in SSL (I'm on localhost) and sent this header from my .htaccess:

Header always edit Set-Cookie (.*) "$1; Secure"

I first checked my cookies with var_dump(session_get_cookie_params()); and it returned ["secure"]=> bool(false)

Useful to know:

in PHP session_get_cookie_params() returns a wrong value if the cookie param is set into .htaccess

This is because the function is reading the php.ini value, not the value sent with .htaccess

  • Related