0

Hi anyone please help me. I writted on php simple code test.php. I am just reading cookie only and displaying it. when i execute the below url in chrome browser i am get response 

https://www.domainname.com/cbscheck/test.php

response

testa3433^| 1^|1^|0da1d48927ec9118d271cc6a4f0df3e90ee4d296^|1

same php url i called in below html file using xmlhttprequest but i am not getting the above reponse.

file:///G:/Hari/MyTaks/Chat/chatCheck.html

response i am getting empty.

My perception $_COOKIE not working when i called using xmlhttprequest. please any help me how to resolve it. i shared code below

testCheck.htm

<html>
<body>
<div id = 'onlineUsers' class='bottomDiv'>
</div>
<script>

  var url = 'https://www.somedomain.com/cbscheck/test.php';
  var xhttp = new XMLHttpRequest();
  xhttp.onreadystatechange=function() {
    if (this.readyState == 4 && this.status == 200) {       
        document.getElementById("onlineUsers").innerHTML = this.responseText;   
    }
  };
  xhttp.open("GET", url , true);
  xhttp.send();
</script>
</body>
</html>

test.php

<?php
echo $_COOKIE["loginInfo"];
?>
sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
hari prasad
  • 25
  • 5

3 Answers3

1

You need to set xhttp.withCredentials = true; to send credentials (and COOKIES too) to the target server using XMLHttpRequest. For more information look the docs.

The next problem you faced is about Access-Control-Allow-Origin header. Your server sends Access-Control-Allow-Origin: * header, and thats why your browser rejects your XMLHttpRequest. Access-Control-Allow-Origin: * header means that your server application allows you to send requests from frontend to ANY other server. With combination of xhttp.withCredentials = true it's very big vulnerability, cause malware js script on your page can send user's credentials to any other place. Thats why your browser rejects your request. You should add yours domain to Access-Control-Allow-Origin header and remove *. This problem was already solved in this question.

Ivan Kalita
  • 2,197
  • 1
  • 18
  • 31
  • Failed to load https://www.agarwalmatrimony.com/cbscheck/test.php: i tried i got the following error The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'null' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute. – hari prasad Oct 27 '17 at 05:52
  • @hariprasad this is other problem. You can’t return wildcard in this header in case you want to send cookies to the server with XMLHttpRequest. Check this answer https://stackoverflow.com/a/19744754/3838486 – Ivan Kalita Oct 27 '17 at 06:00
  • @hariprasad, does it help? I also updated my answer with some explanation. – Ivan Kalita Oct 27 '17 at 09:08
0

Ensure that domain the cookie is set on and domain you are making ajax request to are the same. Also, check the url path the cookie is set on.

Browser will send cookies only to the domain and within the url path it was set on (if you don't apply specific cross-domain rules).

Oleg Loginov
  • 337
  • 1
  • 6
-1

I think you have to run in server if you open html directly in browser it will not understand php code so that's why it's not working.

Jinesh
  • 1,554
  • 10
  • 15