I have a general question about handling cookies if you are working on two servers while developing (one server for front- and backend)
I have build a webapplication with a login system. There are two main routes:
“/” is the landing page for the public with option to login or create an account
“/dashboard” a protected starting page after you logged in
If you register (create a new Account), the app automaticly logs you in (and therefore redirects you to “/dashboard”
All of this works fine. To avoid users from entering the portected area by manually typing the /dashboard route into the browsers url window i want it to check instantly, wether a user is logged or not.
Allthough during the process of creating an account, the $_SESSION variable for the logged user is set, right after redirecting to “/dashboard” (and therefore instant check for the same $_SESSION variable that was set milliseconds ago) i can see out of the response of the checking that this particular $_SESSION variable is not set.
So is there anything special i need to keep in mind when having the backend on a different server?
Why am i emphasising the different server so much?
Well, my application already worked fine. I used to work with plain JS and plain PHP. That was easy to work with because is just had my complete project into the htdocs folder of XAMPPs apache webserver.
I am refactoring my application from plain JS to Vue 3.
So this is different now:
- My Vue CLI runs a webserver for the vue application on “localhost:8080”
- My backend stays in htocs because, well, i need a server that runs php on “localhost”
- In JS (and Vue) i work with fetch(). As Endpoint for the Php i used to use a reltive path (bc it was all in one project directory) like
fetch("../src/backend/main.php")and now i use the path to the localhost server likefetch("http/localhost/backend/main.php") - Because localhost:8080 is for my backend different from “localhost” i have set the following headers in my backend:
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: GET, POST, OPTIONS");
header("Access-Control-Allow-Headers: Content-Type, Credentials");
session_start();
Because those are the only things that are new i assume that my problem has to do with the additional server for my development environment but if you see another cause please let me know.
I want to emphasise that every other communication between front- and backend works perfectly fine, its just that i ahve the feeling that sessions are treated differently now and i would love to know why.