Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 0.13.0

Bug #6684 The HTTP Transport Class is not adding the stored cookies then using HTTPS
Submitted: 2006-02-03 08:34 UTC Modified: 2007-01-21 12:47 UTC
From: theefrit at gmail dot com Assigned: yunosh
Status: Closed Package: SOAP (version 0.9.3)
PHP Version: 4.3.11 OS: Linux (SuSE 9.2) 2.6.8-24.19
Roadmaps: (Not assigned)    

 [2006-02-03 08:34 UTC] theefrit at gmail dot com
Description: ------------ I have detected that when I call a remote method using the HTTP over SSL transport, the session state is not keep through multiple calls with the same SOAPClient. After investigating the source, I found that the SOAPClient is not adding the Cookie Header. Indeed, in the file Transport/HTTP.php, the method _sendHTTPS is not adding an extra parameter to curl with the cookies as the _sendHTTP method does by adding the header "Cookie." The fastest way to solve this is by adding the following call to the _sendHTTPS method curl_setopt($ch, CURLOPT_COOKIE, $cookies); where $cookies is a string with the cookies to send. See below for the complete code. A workaround without changing the SOAP package code is adding the custom curl option before the call in the own client script with $soapclient->setOpt('curl', CURLOPT_COOKIE, $cookies); where $cookies is a string formed using $soapclient->_soap_transport->result_cookies Extra information: Installed packages: =================== Package Version State Archive_Tar 1.3.1 stable Console_Getopt 1.2 stable DB 1.7.6 stable HTTP_Request 1.3.0 stable Log 1.9.3 stable Mail 1.1.9 stable Mail_Mime 1.3.1 stable Net_Curl 1.2.2 stable Net_DIME 0.3 beta Net_SMTP 1.2.7 stable Net_Socket 1.0.6 stable Net_URL 1.0.14 stable PEAR 1.4.6 stable PEAR_Frontend_Gtk 0.4.0 beta PHPUnit 1.3.2 stable PHP_Compat 1.5.0 stable SOAP 0.9.3 beta XML_Parser 1.2.7 stable XML_RPC 1.4.5 stable PHP Configure: './configure' '--prefix=/usr' '--datadir=/usr/share/php' '--mandir=/usr/share/man' '--bindir=/usr/bin' '--libdir=/usr/share' '--includedir=/usr/include' '--sysconfdir=/etc' '--with-_lib=lib' '--with-config-file-path=/etc' '--with-exec-dir=/usr/lib/php/bin' '--disable-debug' '--enable-inline-optimization' '--enable-memory-limit' '--enable-magic-quotes' '--enable-safe-mode' '--enable-sigchild' '--disable-ctype' '--disable-session' '--without-mysql' '--disable-cli' '--without-pear' '--with-openssl' '--with-apxs2=/usr/sbin/apxs2-prefork' 'i586-suse-linux' Test script: --------------- In the _sendHTTPS method of Transport/HTTP.php, add the following $this->cookies = array(); if (!isset($options['nocookies']) || !$options['nocookies']) { // Add the cookies we got from the last request. if (isset($this->result_cookies)) { foreach ($this->result_cookies as $cookie) { if ($cookie['domain'] == $this->urlparts['host']) $this->cookies[$cookie['name']] = $cookie['value']; } } } // Add cookies the user wants to set. if (isset($options['cookies'])) { foreach ($options['cookies'] as $cookie) { if ($cookie['domain'] == $this->urlparts['host']) $this->cookies[$cookie['name']] = $cookie['value']; } } if (count($this->cookies)) { curl_setopt($ch, CURLOPT_COOKIE, $this->_genCookieHeader()); } This code snip is based on the _getRequest method called by _sendHTTP Expected result: ---------------- If you send multiple calls with the same SOAPClient and the server is using cookie-based sessions, then you will receive only one "Set-Cookie" header in the first call and in the following calls, you will sent the "Cookie" header so the session is kept throught all the calls. Actual result: -------------- Each time is called a remote method, the server sends a "Set-Cookie" header with a new PHP SESSION ID instead of keeping the state.


 [2006-03-28 09:25 UTC] jon-crap at jpl dot se (Jon Hollström)
I had the same problem and used the same solution :-) However, for http, _getRequest() is called. One of the things that method does is setting cookies from result_cookies. That method is never called for https. So any cookies need to be created by hand. I have not read all the code but I guess that the solution is to use at least the cookie-code also for the https case. Peace!
 [2007-01-21 12:47 UTC] yunosh (Jan Schneider)
This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on by the end of next Sunday (CET). If this was a problem with the website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better.