I am doing authentication for a web service in php. When a user authenticates a session is generated. Eventually this session expires and the user needs to authenticate again. The authentication information is sent in the http headers.
But it seems that sometimes the variable $_SERVER (or apache_request_headers()) return some headers that are not being sent by the client in the current request (they were sent in previous requests). For instance sometimes I get the variable $_SERVER[‘HTTP_RESPONSE’] filled with information from previous requests.
Is it normal for $_SERVER or apache_request_headers() to ‘persist’ across requests?
It depends on whether or not you’re using a browser to access the script.
Your ‘persistent’ headers are probably due to browser caching, but even then I’m not entirely sure what is happening. I’ve tried running a few tests using Fiddler, but couldn’t replicate the problem.
Maybe try clearing your cache, as different headers might have been stored from previous versions of the script.
But, I would definitely avoid sending authentication params in the headers. Unless you’re using HTTPS, they’re liable to be sniffed and stolen. Why are you using headers?