views:

1768

answers:

5

hello,

i have a page that shows a value from session, lets call it www.domain-a.com/master.php and if i type it directly from the browser, it shows me the session value.

but when i try to download it with file_get_contents (or other method) from another domain, like www.domain-b.com/slave.php, it is not retrieving the content protected by the session, just a blank page.

i know it is because the server-b is trying to retrieve the content, not the user...

anyone knows how to tell the domain-a that who is retrieving the information is the user? there is a way to retrieve the session value?

regards,

josé

A: 

Your PHP configurations are probably prohibiting you to retrieve files over HTTP.

Possible culprits:

Henrik Paul
A: 

You should be able to retrieve the content with curl. See this answer (you can probably drop the browser spoof option).

OIS
+1  A: 

You probably need to send the session ID of the user in a cookie along with the request.

If you want to use the file_get_contents function, you have to create a context to set a cookie:

$opts = array(
    'http' => array(
        'method' => 'GET',
        'header' => 'Cookie: PHPSESSID=0123456789abcdef0123456789abcdef'
    )
);
$context = stream_context_create($opts);
echo file_get_contents('http://master.example.com/master.php', 0, $context);
Gumbo
but i don't know the phpsessid of the user... how could i know that?
You can’t get the user’s cookies for another site except the user gives it to you. Because cookies are domain-specific and only sent to the domain they are valid for.
Gumbo
A: 

keep in mind that if your session code validates against client IP address, then you may still have issues as the client IP posted to your page will be that of the requesting server (using curl or file_get_contents) instead of the client browser.

Jason
A: 

if you have control over the www.domain-a.com/master.php

then you can have it programmed in a way that you could send it the username in encrypted fashion and like master.php?user=zxcvert2324 or whatever and it would decrypt and know who is sending the request.

Otherwise you would need to look into CURL and have the session created by first having curl login to that site and then on the next request goto that master.php page.

Sabeen Malik