Added support for X-Proxy-Cookie

Svish · Svish · commit 81ea05b30036 · 2016-01-15T02:39:05.000+01:00
diff --git a/README.md b/README.md
@@ -11,6 +11,8 @@ This is such a script.
 
 
 
+
+
 Installation
 ---
 
@@ -42,41 +44,9 @@ And then for example add a `proxy.php` like this to your web application:
 
 ```
 
-Security
----
-
-The whitelist array can contain any number of these criterias:
-
-- Exact paths  
-    `['http://example.com/api/specific-method']`
-- Array with single regex key  
-    `['regex' => '%^http://example.com/api/%']`
-- Array with any [parse_url](http://php.net/manual/en/function.parse-url.php) components to match  
-    `['host' => 'example.com']`  
-    `['host' => 'example.com', 'scheme' => 'https']`
-
-The requested URL must match at least one of the whitelisted criterias to be accepted, otherwise a 403 will be returned. An empty whitelist will accept any requests.
-
-**An example using all types**
-
-``` PHP
-<?php
-
-require 'vendor/autoload.php';
-
-CrossOriginProxy::proxy([
-	// Exact matching
-	['http://www.yr.no/place/Sweden/Stockholm/Stockholm/forecast.xml'],
 
-	// URL component matching
-	['host' => 'localhost'],
-	['host' => 'example.com', 'scheme' => 'http'],
 
-	// Regex matching
-	['regex' => '%^http://www.yr.no/place/Norway/%'],
-]);
 
-```
 
 Usage
 ---
@@ -89,7 +59,10 @@ On the client-side, when performing cross-origin requests:
 All parameters and HTTP headers (except `Cookie`, `Host` and `X-Proxy-URL`) will be used to recreate the request and performed server-side by the proxy. When complete it will mirror the response, including headers, and return it to the client-side script more or less as if it had been called directly.
 
 
-Using jQuery
+
+
+
+Usage with jQuery
 ---
 
 **Basic GET request**
@@ -99,7 +72,20 @@ $.ajax({
     url: 'proxy.php',
     cache: false,
     headers: {
-        'X-Proxy-URL': 'http://api.example.com/some/path',
+        'X-Proxy-URL': 'http://example.com/api/method',
+    },
+})
+```
+
+**Basic GET request with cookie**
+
+``` JAVASCRIPT
+$.ajax({
+    url: 'proxy.php',
+    cache: false,
+    headers: {
+        'X-Proxy-URL': 'http://example.com/api/method',
+        'X-Proxy-Cookie': 'jsessionid=AS348AF929FK219CKA9FK3B79870H;',
     },
 })
 ```
@@ -140,6 +126,54 @@ $.ajax({
 
 When using `cache:false` jQuery adds a `_` GET parameter to the URL with the current timestamp to prevent the browser from returning a cached response. This happens *before* the `ajaxSend` event, so in the above case, if you had set `cache:false`, that `_` parameter would just be "moved" to the `X-Proxy-URL` header and no longer have any effect. So instead, leave `cache` at its default value `true`, and add the parameter manually to the proxy url instead.
 
-**More?**
+*Some more examples can be found in [test/index.html](test/index.html).*
+
+
+
+Security
+---
+
+The hostname of the referer is checked, but can be easily spoofed, so the whitelist array should be put to good use. Fill it with any number of the following types of criterias:
+
+- Exact paths  
+    `['http://example.com/api/specific-method']`
+- Array with single regex key  
+    `['regex' => '%^http://example.com/api/%']`
+- Array with any [parse_url](http://php.net/manual/en/function.parse-url.php) components to match  
+    `['host' => 'example.com']`  
+    `['host' => 'example.com', 'scheme' => 'https']`
+
+The requested URL must match at least one of the whitelisted criterias to be accepted, otherwise a 403 will be returned. The whitelist can also be set to an empty array to allow any URLs.
+
+**Example**
+
+``` PHP
+<?php
+
+require 'vendor/autoload.php';
+
+CrossOriginProxy::proxy([
+
+	// URL component matching
+	['host' => 'localhost'],
+	['host' => 'example.com', 'scheme' => 'https'],
+
+	// Exact matching
+	['http://www.yr.no/place/Sweden/Stockholm/Stockholm/forecast.xml'],
+
+	// Regex matching
+	['regex' => '%^http://www.yr.no/place/Norway/%'],
+
+]);
+
+```
+
+Cookies
+---
+
+Cookies sent to the proxy will be ignored, since the browser will send the ones meant for the domain of the proxy, and not the cookies meant for the proxied resource. Don't want stuff to leak!
+
+If a request requires a certain cookie set, for example a session id, you can set the `X-Proxy-Cookie` header which is then used as `Cookie` header by the proxy.
+
+    X-Proxy-Cookie: jsessionid=AS348AF929FK219CKA9FK3B79870H;
 
-Some more examples can be found in [test/index.html](test/index.html).
diff --git a/proxy.php b/proxy.php
@@ -18,7 +18,7 @@
 $headers = getallheaders();
 $method = __('REQUEST_METHOD', $_SERVER);
 $url = __('X-Proxy-URL', $headers);
-
+$cookie = __('X-Proxy-Cookie', $headers);
 
 // Check that we have a URL
 if( ! $url)
@@ -40,6 +40,8 @@
 // Remove ignored headers and prepare the rest for resending
 $ignore = ['Cookie', 'Host', 'X-Proxy-URL'];
 $headers = array_diff_key($headers, array_flip($ignore));
+if($cookie)
+	$headers['Cookie'] = $cookie;
 foreach($headers as $key => &$value)
 	$value = "$key: $value";
 
