Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 0.14.0

Bug #6684 The HTTP Transport Class is not adding the stored cookies then using HTTPS
Submitted: 2006-02-03 13:34 UTC
From: theefrit at gmail dot com Assigned: yunosh
Status: Closed Package: SOAP (version 0.9.3)
PHP Version: 4.3.11 OS: Linux (SuSE 9.2) 2.6.8-24.19
Roadmaps: (Not assigned)    
Subscription  


 [2006-02-03 13:34 UTC] theefrit at gmail dot com
Description: ------------ I have detected that when I call a remote method using the HTTP over SSL transport, the session state is not keep through multiple calls with the same SOAPClient. After investigating the source, I found that the SOAPClient is not adding the Cookie Header. Indeed, in the file Transport/HTTP.php, the method _sendHTTPS is not adding an extra parameter to curl with the cookies as the _sendHTTP method does by adding the header "Cookie." The fastest way to solve this is by adding the following call to the _sendHTTPS method curl_setopt($ch, CURLOPT_COOKIE, $cookies); where $cookies is a string with the cookies to send. See below for the complete code. A workaround without changing the SOAP package code is adding the custom curl option before the call in the own client script with $soapclient->setOpt('curl', CURLOPT_COOKIE, $cookies); where $cookies is a string formed using $soapclient->_soap_transport->result_cookies Extra information: Installed packages: =================== Package Version State Archive_Tar 1.3.1 stable Console_Getopt 1.2 stable DB 1.7.6 stable HTTP_Request 1.3.0 stable Log 1.9.3 stable Mail 1.1.9 stable Mail_Mime 1.3.1 stable Net_Curl 1.2.2 stable Net_DIME 0.3 beta Net_SMTP 1.2.7 stable Net_Socket 1.0.6 stable Net_URL 1.0.14 stable PEAR 1.4.6 stable PEAR_Frontend_Gtk 0.4.0 beta PHPUnit 1.3.2 stable PHP_Compat 1.5.0 stable SOAP 0.9.3 beta XML_Parser 1.2.7 stable XML_RPC 1.4.5 stable PHP Configure: './configure' '--prefix=/usr' '--datadir=/usr/share/php' '--mandir=/usr/share/man' '--bindir=/usr/bin' '--libdir=/usr/share' '--includedir=/usr/include' '--sysconfdir=/etc' '--with-_lib=lib' '--with-config-file-path=/etc' '--with-exec-dir=/usr/lib/php/bin' '--disable-debug' '--enable-inline-optimization' '--enable-memory-limit' '--enable-magic-quotes' '--enable-safe-mode' '--enable-sigchild' '--disable-ctype' '--disable-session' '--without-mysql' '--disable-cli' '--without-pear' '--with-openssl' '--with-apxs2=/usr/sbin/apxs2-prefork' 'i586-suse-linux' Test script: --------------- In the _sendHTTPS method of Transport/HTTP.php, add the following $this->cookies = array(); if (!isset($options['nocookies']) || !$options['nocookies']) { // Add the cookies we got from the last request. if (isset($this->result_cookies)) { foreach ($this->result_cookies as $cookie) { if ($cookie['domain'] == $this->urlparts['host']) $this->cookies[$cookie['name']] = $cookie['value']; } } } // Add cookies the user wants to set. if (isset($options['cookies'])) { foreach ($options['cookies'] as $cookie) { if ($cookie['domain'] == $this->urlparts['host']) $this->cookies[$cookie['name']] = $cookie['value']; } } if (count($this->cookies)) { curl_setopt($ch, CURLOPT_COOKIE, $this->_genCookieHeader()); } This code snip is based on the _getRequest method called by _sendHTTP Expected result: ---------------- If you send multiple calls with the same SOAPClient and the server is using cookie-based sessions, then you will receive only one "Set-Cookie" header in the first call and in the following calls, you will sent the "Cookie" header so the session is kept throught all the calls. Actual result: -------------- Each time is called a remote method, the server sends a "Set-Cookie" header with a new PHP SESSION ID instead of keeping the state.

Comments

 [2006-03-28 15:25 UTC] jon-crap at jpl dot se (Jon Hollström)
I had the same problem and used the same solution :-) However, for http, _getRequest() is called. One of the things that method does is setting cookies from result_cookies. That method is never called for https. So any cookies need to be created by hand. I have not read all the code but I guess that the solution is to use at least the cookie-code also for the https case. Peace!
 [2007-01-21 17:47 UTC] User who submitted this comment has not confirmed identity
If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!