file_get_contents (or curl, or fopen) problem with session data

前端 未结 6 1545
情深已故
情深已故 2021-02-11 04:15

i have a page that shows a value from session, lets call it www.domain-a.com/master.php and if i type it directly from the browser, it shows me the session value.

but wh

相关标签:
6条回答
  • 2021-02-11 05:02

    if you have control over the www.domain-a.com/master.php

    then you can have it programmed in a way that you could send it the username in encrypted fashion and like master.php?user=zxcvert2324 or whatever and it would decrypt and know who is sending the request.

    Otherwise you would need to look into CURL and have the session created by first having curl login to that site and then on the next request goto that master.php page.

    0 讨论(0)
  • 2021-02-11 05:03

    Your PHP configurations are probably prohibiting you to retrieve files over HTTP.

    Possible culprits:

    • Safe mode
    • Open basedir
    • allow_furl_open
    0 讨论(0)
  • 2021-02-11 05:04

    There is one usefull solution.

    Sending PHPSESSID to another server doesn't make a sense, because session data are stored in a file on the server and that is the reason why file_get_contents block http service. It is simple. Client connect to server using http and the server opens file with session data for writing of course. file_get_contents create another connection (another thread) that connect to the same server. If session id is set then server opens same file with session data, but this file is already opened.

    so here is a good solution that prevents this collision:

    $opts = array( 'http'=>array( 'method'=>"GET",
                  'header'=>"Accept-language: en\r\n" .
                   "Cookie: ".session_name()."=".session_id()."\r\n" ) );
    
    $context = stream_context_create($opts);
    session_write_close();   // this is the key
    $obsah = file_get_contents( 'http://blablabla.cz', false, $context);
    

    it works fine. Yes yes yes

    0 讨论(0)
  • 2021-02-11 05:12

    keep in mind that if your session code validates against client IP address, then you may still have issues as the client IP posted to your page will be that of the requesting server (using curl or file_get_contents) instead of the client browser.

    0 讨论(0)
  • 2021-02-11 05:14

    You probably need to send the session ID of the user in a cookie along with the request.

    If you want to use the file_get_contents function, you have to create a context to set a cookie:

    $opts = array(
        'http' => array(
            'method' => 'GET',
            'header' => 'Cookie: PHPSESSID=0123456789abcdef0123456789abcdef'
        )
    );
    $context = stream_context_create($opts);
    echo file_get_contents('http://master.example.com/master.php', 0, $context);
    
    0 讨论(0)
  • 2021-02-11 05:21

    You should be able to retrieve the content with curl. See this answer (you can probably drop the browser spoof option).

    0 讨论(0)
提交回复
热议问题