i have a page that shows a value from session, lets call it www.domain-a.com/master.php and if i type it directly from the browser, it shows me the session value.
but when i try to download it with file_get_contents (or other method) from another domain, like www.domain-b.com/slave.php, it is not retrieving the content protected by the session, just a blank page.
i know it is because the server-b is trying to retrieve the content, not the user...
anyone knows how to tell the domain-a that who is retrieving the information is the user? there is a way to retrieve the session value?
regards,
josé
There is one usefull solution.
Sending PHPSESSID to another server doesn't make a sense, because session data are stored in a file on the server and that is the reason why file_get_contents block http service. It is simple. Client connect to server using http and the server opens file with session data for writing of course. file_get_contents create another connection (another thread) that connect to the same server. If session id is set then server opens same file with session data, but this file is already opened.
so here is a good solution that prevents this collision:
$opts = array( 'http'=>array( 'method'=>"GET",
'header'=>"Accept-language: en\r\n" .
"Cookie: ".session_name()."=".session_id()."\r\n" ) );
$context = stream_context_create($opts);
session_write_close(); // this is the key
$obsah = file_get_contents( 'http://blablabla.cz', false, $context);
it works fine. Yes yes yes
You probably need to send the session ID of the user in a cookie along with the request.
If you want to use the file_get_contents function, you have to create a context to set a cookie:
$opts = array(
'http' => array(
'method' => 'GET',
'header' => 'Cookie: PHPSESSID=0123456789abcdef0123456789abcdef'
)
);
$context = stream_context_create($opts);
echo file_get_contents('http://master.example.com/master.php', 0, $context);
keep in mind that if your session code validates against client IP address, then you may still have issues as the client IP posted to your page will be that of the requesting server (using curl or file_get_contents) instead of the client browser.
if you have control over the www.domain-a.com/master.php
then you can have it programmed in a way that you could send it the username in encrypted fashion and like master.php?user=zxcvert2324 or whatever and it would decrypt and know who is sending the request.
Otherwise you would need to look into CURL and have the session created by first having curl login to that site and then on the next request goto that master.php page.
Your PHP configurations are probably prohibiting you to retrieve files over HTTP.
Possible culprits:
You should be able to retrieve the content with curl. See this answer (you can probably drop the browser spoof option).
来源:https://stackoverflow.com/questions/766109/file-get-contents-or-curl-or-fopen-problem-with-session-data