I'm having trouble getting CORS to accept cross-origin requests from imported PHP scripts. I have two subdomains for my website: 'php.<my wesbite>.com', which is where I host my PHP scripts, and 'admin.<my website>.com', which is where I host my Vue.js admin control panel.
I have a file called 'common_headers.php' for setting the CORS headers, which I import via 'require' in my other PHP scripts. In 'get_flagges_policies.php' and 'validate_session_token.php', I do this at the very top of the files. However, CORS only accepts 'get_flagged_policies' if I don't import 'validate_session_token'.
I have tried manually adding the headers to 'validate_session_token', but this does not resolve the issue. My only solution at this time is to paste the code for validating session tokens into my flagged policies script, but then I would have to do the same for all of my PHP scripts which require validation.
php.<my website>.com/miscellaneous/common_headers.php:
<?php
function setCommonHeaders() {
$allowedOrigins = [
'https://php.<my website>.com',
'https://admin.<my website>.com',
'https://www.<my website>.com',
];
if (isset($_SERVER['HTTP_ORIGIN'])) {
$origin = $_SERVER['HTTP_ORIGIN'];
$parsedUrl = parse_url($origin);
$host = $parsedUrl['host'] ?? '';
if (in_array($origin, $allowedOrigins) || preg_match('/(^|\.)<my website>\.com$/', $host)) {
header("Access-Control-Allow-Origin: " . $origin);
header("Access-Control-Allow-Credentials: true");
header("Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With");
header("Access-Control-Allow-Methods: POST, GET");
header("Access-Control-Max-Age: 3600");
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
header("HTTP/1.1 200 OK");
return;
}
}
} else {
header("Content-Type: application/json; charset=UTF-8");
}
}
?>
php.<my website>.com/insurance/get_flagged_policies.php:
<?php
require '../miscellaneous/common_headers.php';
setCommonHeaders();
include '../../connect.php';
$input = json_decode(file_get_contents('php://input'), true);
$limit = isset($input['limit']) ? (int) $input['limit'] : 20;
$offset = isset($input['offset']) ? (int) $input['offset'] : 0;
$session_token = $input['session_token'];
require '../session/validate_session_token.php'; // This line is causing the CORS error
validateSessionToken($conn, $session_token, true);
// ... rest of script
php.<my website>.com/session/validate_session_token.php:
<?php
require '../miscellaneous/common_headers.php';
setCommonHeaders();
function validateSessionToken($conn, $session_token, $adminRequired) {
if (session_status() == PHP_SESSION_NONE) {
session_start();
}
if (!isset($_SESSION['user_id'])) {
exit('user_not_logged_in');
}
// ... rest of script
var_dump($_SERVER['HTTP_ORIGIN']);
what does it show?setCommonHeaders()
function twice because yourequire '../miscellaneous/common_headers.php';
twice? The description of the problem you're having isn't very clear.require_once
rather thanrequire
to prevent duplication.var_dump
at the end of thesetCommonHeaders()
function returnsNULL
; same if I add it in get_flagged_policies. Also, replacingrequire
withrequire_once
doesn't resolve the issue.Origin:
header. I'm not sure why, since any browsers that implement CORS should send this.