I have two PHP-files.
The first: http://huntinggrounds.de/test/sessionToken.php openen a new session via session_start() and has the variable $_SESSION['token'] = "123";
By doing an fetch (ajax-call) to my second file (formTest.php) I wolud like to return this $_SESSION['token']. But this is always not valid anymore.
I detected that I get also always a new SessionID. What is definetely wrong.
If I call http://huntinggrounds.de/test/formTest.php direkt over the browser. Everything is correct. So the issue must be the ajax call.
Here are the sources: In start-file sessionToken.php:
fetch(form.getAttribute("action"), {
method: 'POST',
headers: {
'x-csrf-token': token,
'Accept': 'application/json, text/plain, */*',
'credentials': 'include'
},
body: data
})
my PHP-file formTest.php
<?php
//session_id('joe');
//session_start();
if (session_status()==1) {
session_start(); $sessionStart = "sessionNEU";
}
header('Access-Control-Allow-Methods: POST');
header("X-Powered-By: joe");
header("Access-Control-Allow-Headers: x-csrf-token, X-Requested-With");
header("Access-Control-Expose-Headers: x-csrf-token");
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Allow-Origin: *');
header($_SERVER["SERVER_PROTOCOL"]." 200 Ok");
header('Content-type: application/json');
$response= array();
$tokenNeu = generateToken(16);
//$tokenAlt = $_SERVER['HTTP_X_CSRF_TOKEN'];
$response["session"]["ID"] = session_id();
$response["session"]["savePath"] = session_save_path();
$response["session"]["startsNew"] = $sessionStart ? "yes" : "no";
$response["session"]["hasToken"] = isset($_SESSION['token']) ? "yes" : "no";
$response["session"]["token"] = $_SESSION['token'];
$response["session"]["tokenValid"] = ($_SESSION['token'] == $_SERVER['HTTP_X_CSRF_TOKEN']) ? "valid" : "invalid";
$response["session"]["tokenCSFR"] = $_SERVER['HTTP_X_CSRF_TOKEN'];
$response["session"]["tokenNew"] = $tokenNeu;
echo json_encode($response);...
Any idea what force the testForm.php to give a new SessionID.
(When I set in both files session_id('joe'); it works like a charm)
Please do not comment that the session_start(); has to be in the first line. This is tested and fails.
I'am on PHP7.