I am generating a unique token and saving it in a session variable on every request (in a typical CSRF protection fashion). Token is refreshed after checking it for validation with the POSTED token value.
Here is my code (index.php):
<?php
session_start();
if (!empty($_POST['token'])) {
var_dump($_POST['token'], $_SESSION['token']);
exit;
}
$_SESSION['token'] = rand();
echo '<form action="index.php" method="post"><input name="token" value="' . $_SESSION['token'] . '"></form>';
When I use php -S localhost:8888
to run the script, it works fine. But when I specify the index.php file like php -S localhost:8888 index.php
the $_SESSION['token']
is changed. ($_POST['token']
and $_SESSION['token']
does not match).
php -S localhost:8888
php -S localhost:8888 index.php
I have also tried using a routing file. It does not work either. php -S localhost:8888 server.php
<?php
// server.php
$uri = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
$uri = urldecode($uri);
if ($uri !== '/' and file_exists($uri))
{
return false;
}
require_once 'index.php';
Console output:
php -S localhost:8888
php -S localhost:8878
[Mon Mar 29 11:49:49 2021] PHP 8.0.3 Development Server (http://localhost:8878) started
[Mon Mar 29 11:49:52 2021] [::1]:47410 Accepted
[Mon Mar 29 11:49:52 2021] [::1]:47412 Accepted
[Mon Mar 29 11:49:52 2021] [::1]:47410 [200]: GET /
[Mon Mar 29 11:49:52 2021] [::1]:47410 Closing
[Mon Mar 29 11:49:53 2021] [::1]:47412 [404]: GET /favicon.ico - No such file or directory
[Mon Mar 29 11:49:53 2021] [::1]:47412 Closing
php -S localhost:8888 server.php
php -S localhost:8858 server.php
[Mon Mar 29 11:48:51 2021] PHP 8.0.3 Development Server (http://localhost:8858) started
[Mon Mar 29 11:48:53 2021] [::1]:33156 Accepted
[Mon Mar 29 11:48:53 2021] [::1]:33158 Accepted
[Mon Mar 29 11:48:53 2021] [::1]:33156 Closing
[Mon Mar 29 11:48:54 2021] [::1]:33158 Closing
Tested using:
PHP 7.3.27-1~deb10u1 (cli) (built: Feb 13 2021 16:31:40) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.27, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.3.27-1~deb10u1, Copyright (c) 1999-2018, by Zend Technologies
and
PHP 8.0.3 (cli) (built: Mar 5 2021 08:38:30) ( NTS )
Copyright (c) The PHP Group
Zend Engine v4.0.3, Copyright (c) Zend Technologies
with Zend OPcache v8.0.3, Copyright (c), by Zend Technologies
Is this a bug in PHP built-in server?
My Answer:
It seems like the issue you are experiencing might be related to how the PHP built-in server handles sessions when specifying the PHP file directly.
One possible workaround could be to explicitly set the session id using session_id() before starting the session. This way, the session id will remain consistent even when specifying the PHP file directly.
Here is an example of how you can modify your code to set the session id:
php
session_id('my_unique_session_id');
session_start();
if (!empty($_POST['token'])) {
var_dump($_POST['token'], $_SESSION['token']);
exit;
}
$_SESSION['token'] = rand();
echo '';
By setting a specific session id, you can ensure that the session remains consistent even when specifying the PHP file directly in the PHP built-in server.
I hope this helps resolve the issue you are facing with the session token being changed before validation. Let me know if you have any other questions or concerns.
Rate this post
4 of 5 based on 6532 votesComments