code-boxx · September 29, 2024 05:24 · May 26, 2023 · May 11, 2023
diff --git a/0-PHP-CORS-COOKIE.MD b/0-PHP-CORS-COOKIE.MD
@@ -1,4 +1,4 @@
-## FULL TUTORIAL
+## PHP CROSS-DOMAIN COOKIE
 https://code-boxx.com/cors-cookie-php/
 
 ## LICENSE

diff --git a/0-PHP-CORS-COOKIE.MD b/0-PHP-CORS-COOKIE.MD
@@ -0,0 +1,23 @@
+## FULL TUTORIAL
+https://code-boxx.com/cors-cookie-php/
+
+## LICENSE
+Copyright by Code Boxx
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/1-fetch.html b/1-fetch.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>PHP CORS Set Cookie</title>
+  </head>
+  <body>
+    <!-- (A) DEMO BUTTON -->
+    <input type="button" value="CORS Cookie" onclick="demo()">
+
+    <script>
+    function demo () {
+      // (B) CORS FETCH TO SITE B
+      fetch("https://site-b.com/2-handler.php", {
+        mode : "cors",
+        credentials : "include"
+      })
+
+      // (C) FOR DEBUGGING, CONSOLE LOG ALL RESPONSES.
+      .then(res => {
+        console.log(res);
+        return res.text();
+      })
+      .then(res => console.log(res))
+      .catch(err => console.log(err));
+    }
+    </script>
+  </body>
+</html>
diff --git a/2-handler.php b/2-handler.php
@@ -0,0 +1,30 @@
+<?php
+// (A) GET REQUEST ORIGIN
+if (array_key_exists("HTTP_ORIGIN", $_SERVER)) {
+  $origin = $_SERVER["HTTP_ORIGIN"];
+} else if (array_key_exists("HTTP_REFERER", $_SERVER)) {
+  $origin = $_SERVER["HTTP_REFERER"];
+} else {
+  $origin = $_SERVER["REMOTE_ADDR"];
+}
+
+// (B) CHECK ALLOWED DOMAINS
+if (!in_array(
+  parse_url($origin, PHP_URL_HOST),
+  ["site-a.com", "site-b.com"]
+)) {
+  http_response_code(403);
+  exit("$origin not allowed");
+}
+
+// (C) PROCEED - SET CORS COOKIE
+header("Access-Control-Allow-Origin: $origin");
+header("Access-Control-Allow-Credentials: true");
+setcookie("It", "Works", [
+  "expires" => time()+3600,
+  "path" => "/",
+  "domain" => ".site-b.com",
+  "secure" => true,
+  "samesite" => "None"
+]);
+echo "OK";
diff --git a/3-show.html b/3-show.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>PHP CORS Set Cookie</title>
+  </head>
+  <body>
+    <div id="demo"></div>
+    <script>
+    document.getElementById("demo").innerHTML = document.cookie;
+    </script>
+  </body>
+</html>