0

My login page: example.com/login (root/public_html/login)
My subdomain: api.example.com (root/api)

When I make a simple GET request using AngularJS $.http it fails to load the session variable. Directly loading the page works fine, but when using Angular it fails (Giving a CORS Error even though its on the same server and host just a different subdomain).

Is it possible making a js request to the absolute path (not relative path) causes a cors exception?

In my .htaccess file in public_html I have: php_value session.cookie_domain .example.com

The file im loading from $.http:

if(!isset($_SESSION)) session_start();
if(!empty($_SESSION['username'])) {
    echo "Working";
} else {
    echo "Not finding username";
    exit;
}

Login Code:

session_set_cookie_params(0, '/', '.example.com');
session_start();
$_SESSION['username'] = $query[0]['username'];
$_SESSION['email'] = $_POST['email'];
$_SESSION['image'] = $query[0]['image'];
$_SESSION['role'] = $query[0]['role'];
$_SESSION['banned'] = $query[0]['banned'];
$_SESSION['id'] = $query[0]['id'];
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['useragent'] = $_SERVER['HTTP_USER_AGENT'];
setcookie(session_name(),session_id(),time()+604800,"/",".example.com");
header("Location: /"); exit;

EDIT: api.example.com's doc directory is /api and not the conventional /public_html/api would this make a difference?

Edit: Everything was solved once I moved the root/api docs folder to root/public_html/api and then used relative paths in the JS.

  • You _do_ have `session_start()` at the top of the page you are calling via angular yes? – Stuart Sep 06 '17 at 13:51
  • @Stuart Yes I do. It does: if(!isset($_SESSION)) session_start(); –  Sep 06 '17 at 13:52
  • Is it named? Maybe try: `$some_name = session_name("some_name"); session_set_cookie_params(0, '/', '.some_domain.com'); session_start();` – Stuart Sep 06 '17 at 13:53
  • @Stuart its named the default PHPSESSID - also the code you just put, should I have that in the login script or on the ajax script? –  Sep 06 '17 at 13:54
  • at the top of your php scripts. ideally the first two lines of that would be in some site-global config thats read by each and every ophp page... – Stuart Sep 06 '17 at 13:57
  • @Stuart I just checked the cookie and even though `.example.com` is set via .htaccess, no initial . is on the cookie's domain section. (From F12) –  Sep 06 '17 at 14:01
  • You'll need that dot to designate the cookie across a subdomain – Stuart Sep 06 '17 at 14:14
  • @Stuart I found out it was because setcookie (To make it expire in 7 days - which doesnt even work anyway) i added `,".example.com"` to the end of setcookie() and it is now .example.com in the domain, but its still not working. –  Sep 06 '17 at 14:19
  • **Just found out, manually going to the url works, is this possibly a cors issue? I for some reason had to add Access-Control-Allow-Origin: header for it to be able to even load, is this possibly a cors issue?** –  Sep 06 '17 at 14:20
  • It's a problem with cookies. Read: https://stackoverflow.com/questions/18492576/share-cookie-between-subdomain-and-domain – Croises Sep 06 '17 at 14:47
  • @Croises It works fine, just if I use a JS request to call the link, it will do a CORS error –  Sep 06 '17 at 14:50
  • >My subdomain: api.example.com (root/api) should be `api.example.com (root/public_html/api)` – Prince Adeyemi Sep 06 '17 at 19:17

0 Answers0