469,354 Members | 2,035 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,354 developers. It's quick & easy.

sending multiple cookies with file_get_contents()

404 256MB
I've been using stream_context_create() to send cookies along with a file_get_contents() call when requesting a remote page. This is useful if I need to pass information to the remote page that my server can't pass, like a login form. This works perfectly well when I've got a single cookie, or multiple cookies on the same domain and path, but what if I need to send multiple cookies that work for multiple different domains or paths?

Here's an example code:

Expand|Select|Wrap|Line Numbers
  1. <?php
  2. $cookies = array("Cookie: testcookie=blah; testcookie2=haha; path=/; domain=infectionist.com;");
  3. $opts = array('http' => array('header' => $cookies));
  4. $context = stream_context_create($opts);
  5. $html = file_get_contents("http://infectionist.com/misc/testing/cookie.php?do=view", false, $context);
  6. echo $html;
  7. ?>
This will utilize a quick script that I wrote that displays the values of 2 cookies named "testcookie" and "testcookie2". Notice in the cookies array, I've got both cookies set, and since both work on the same path and domain, they both appear properly. But I've got a page that I need to retrieve while sending multiple cookies from multiple domains (actually subdomains of the requested domain) and/or paths.

How might I accomplish this? I tried making my cookies array have multiple values, like this:

Expand|Select|Wrap|Line Numbers
  1. $cookies = array("Cookie: testcookie=blah; path=/; domain=infectionist.com;", "Cookie: testcookie2=haha; path=/; domain=infectionist.com;");
But that didn't work, only the first cookie was set. I can't seem to figure out how this might be done, but I'm sure someone else has done it before. Any help with this will be greatly appreciated!
Apr 19 '10 #1
5 14159
5,058 Expert 4TB

Unless I am misunderstanding you, I think you may be misunderstanding how the Cookie header should be used. The path and domain meta-values are meant to be used with the Set-Cookie header, but not the Cookie header.

For example, say a page located at example.com/cookie/ sends the following header when you first request it:
Expand|Select|Wrap|Line Numbers
  1. Set-Cookie: key=value; path=/cookie; domain=example.com
The path and domain values are used by the browser to determine where the cookie belongs; so the browser knows which URL to send the cookie to. After receiving that header, the browser should be adding the following header to any requests to the example.com/cookie/ URL.
Expand|Select|Wrap|Line Numbers
  1. Cookie: key=value
There is no point in passing the path and domain values back to the server. There is no security benefit to it, and even if the cookie was mistakenly sent to the wrong domain/path, the server-side code shouldn't mind an extra cookie being sent.

Your first example used this:
Expand|Select|Wrap|Line Numbers
  1. Cookie: testcookie=blah; testcookie2=haha; path=/; domain=infectionist.com;
On the server, the path and domain values, which I assume you mean to be meta-values (to indicate where the cookie belongs), would in fact be considered the third and fourth key-pair cookie data values. Dumping the $_COOKIE array from a PHP request that includes that header would print:
Expand|Select|Wrap|Line Numbers
  1. array(4) {
  2.   ["testcookie"]=>
  3.   string(4) "blah"
  4.   ["testcookie2"]=>
  5.   string(4) "haha"
  6.   ["path"]=>
  7.   string(1) "/"
  8.   ["domain"]=>
  9.   string(16) "infectionist.com"
  10. }
That header should have just been like this:
Expand|Select|Wrap|Line Numbers
  1. Cookie: testcookie=blah; testcookie2=haha;
Apr 19 '10 #2
404 256MB
I don't think you understood the question. I'm using a php function to retrieve a remote webpage from another server. This remote page displays different data based on cookies sent with the request. If the cookies are not set, it tells you to log in, if they are set, it displays the information I need. I need to send those cookies along with the request for the webpage, but there are multiple cookies from different domains that need to be sent for it to work, so I need to know how to send those multiple cookies with different domain values. I'm not trying to set a cookie on a client computer, I'm trying to make my server act as the client computer.
Apr 19 '10 #3
5,058 Expert 4TB
That's what I though.

A Cookie header, sent by a client, does not include path or domain values. Those values are only used when the server sends a new cookie to the client. They are meant for the client software, so it can determine which requests should include the cookie.

There is no point in sending the path and domain values from the client to the server. A Cookie header should only include data pairs.

As an example, consider this stripped-down version of the HTTP headers in a cookie based shopping cart. Note the Host header of the requests and the domain part of the Set-Cookie headers.
Expand|Select|Wrap|Line Numbers
  1. ## Client login request
  2. POST /login.php HTTP\1.1
  3. Host: example.com
  5. username=myname&pwd=mypass&
  7. ## Server login response
  8. HTTP/1.1 200 OK
  9. Set-Cookie: loginid=123; path=/; domain=.example.com                                                                                                                    
  10. Set-Cookie: cartid=456; path=/; domain=shop.example.com
  13. ## Client adding a product to cart.
  14. GET /addProduct.php?pid=5 HTTP\1.1
  15. Host: shop.example.com
  16. Cookie: loginid=123; cartid=456;
  19. ## Server sets a total price cookie after
  20. ## adding the new product.
  21. HTTP/1.1 200 OK                                                                                                            
  22. Set-Cookie: carttotal=4.95; path=/; domain=shop.example.com
  24. ## Client adds another product.
  25. GET /addProduct.php?pid=10 HTTP\1.1
  26. Host: shop.example.com
  27. Cookie: loginid=123; cartid=456; carttotal=4.95;
  29. ## Server re-calculates and resets the total
  30. ## price cookie, after adding the product.
  31. HTTP/1.1 200 OK                                                                                                            
  32. Set-Cookie: carttotal=9.90; path=/; domain=shop.example.com
  34. ## Client logs out.
  35. GET /logout.php HTTP\1.1
  36. Host: example.com
  37. Cookie: loginid=123
  39. ## Server deletes all the cookies.
  40. HTTP/1.1 200 OK
  41. Set-Cookie: loginid=; expire=1; path=/; domain=.example.com                                                                                                                    
  42. Set-Cookie: cartid=; expire=1; path=/; domain=shop.example.com
  43. Set-Cookie: carttotal=; expire=1; path=/; domain=shop.example.com
My point here is that the none of the client requests include the path or domain in the Cookie header, and when the Host of the client request is not "shop.example.com" the request omits the cookies that were specific to that domain.

Your PHP script should emulate that. The server accepts all cookies, regardless of which domain/path they were originally intended for. It is the client's responsibility to keep that restriction, and the server-side code's responsibility to simply ignore cookies it isn't expecting.
Apr 20 '10 #4
404 256MB
Ok, so let's say I need to send these cookies:

a=1; path=/; domain=a.example.com;
b=2; path=/; domain=b.example.com;

The remote page requires that both cookies be sent, meaning 2 different domain values, but with my PHP script I only know how to send multiple cookies with the SAME domain value. So what you're saying is that I don't need to include the domain value at all, meaning my code in the first post could be this:

Expand|Select|Wrap|Line Numbers
  1. <?php 
  2. $cookies = array("Cookie: testcookie=blah; testcookie2=haha;"); 
  3. $opts = array('http' => array('header' => $cookies)); 
  4. $context = stream_context_create($opts); 
  5. $html = file_get_contents("http://infectionist.com/misc/testing/cookie.php?do=view", false, $context); 
  6. echo $html; 
  7. ?> 
And it would still work?

It does appear so, but I've only tested it on single-domain cookies, not those that require multiple domains.

One other question, if I might. How might I go about changing the expiry date of the cookie? I understand that this might be dictated by the server and not by the cookie, but I'd still like to know.

And also, so you can better understand, I'm logging into a page secured behind a .NET Passport login (using my own login information!) so that I can get achievement information for Xbox 360 games. You can only get this info if you're logged in. I got it working a little after I made this post (since it's cookies only need the single domain), but when I came back tonight it wouldn't work, leading me to assume the cookie had timed out (or the session on the server.)
Apr 20 '10 #5
5,058 Expert 4TB
Yes, regardless of which domain the server intended the cookie to belong to, you can send it. The path and domain values should not be a part of the Cookie header. It should only list the "key=value" pairs you want the HTTP server to receive.

However, those two cookies you mentioned should never be sent together. They belong to separate domains, which a client should restrict them to. Having said that, there is nothing that actually stops you from sending them despite that.

One other question, if I might. How might I go about changing the expiry date of the cookie? I understand that this might be dictated by the server and not by the cookie, but I'd still like to know.
The expiration date of the cookie, much like the domain and path, are only meant for the client. The server does not keep track of these values, so your client can ignore them all if you want. - You don't have to change the expiration date. Your client has full control over whether or not it actually uses it.

However, if the cookie is storing some sort of session ID or some for of login information, the server may well keep track of the session on the server-side, and make the session time-out and become invalid. - For example, PHP sessions are automatically invalidated after a certain period of inactivity, after which the session ID that the cookie stores becomes useless.

Most login mechanisms use some form of session time-out functionality. It's a basic security feature, meant to make it harder to steal session cookies. - If you are indeed trying to pass session ID cookies, you would have to log in first to make sure the session is actually active.

I don't know details about .Net session capabilities, but even thought it is a M$ technology, I think it is safe to assume they have gotten this stuff right by now.
Apr 20 '10 #6

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

6 posts views Thread by Anonymous | last post: by
9 posts views Thread by Michael Evanchik | last post: by
3 posts views Thread by Beryl Small | last post: by
2 posts views Thread by Damiro | last post: by
5 posts views Thread by howa | last post: by
5 posts views Thread by Sonnich | last post: by
13 posts views Thread by ofiras | last post: by
reply views Thread by pac1250 | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by suresh191 | last post: by
1 post views Thread by Marylou17 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.