I am implementing the LinkedIn JavaScript to REST token exchange, and have an SSL-enabled page that a member signs in on, which stores their oauth token in a secure ‘credential’ cookie, per the docs. I am then attempting to pass those cookies to a PHP page via jQuery $.post():
$.post('https://' + document.domain + '/exchange.php', function(data) {
alert(data);
});
When I inspect the data being sent via Firebug, I can see the following in the header of the jQuery POST:
Cookie: __utma=xxxx; __utmc=xxxx; __utmz=xxxx; linkedin_oauth_YYYY=yyyy; PHPSESSID=xxxx; __utmb=xxxx
Yet on the exchange.php page, only the non-secure cookies are exposed (only the Google Analytics and the PHP session cookie can be seen by the receiving page) by doing print_r($_COOKIE);:
Array
(
[__utma] => xxxx
[__utmc] => xxxx
[__utmz] => xxxx
[PHPSESSID] => xxxx
[__utmb] => xxxx
)
Any ideas what I am doing wrong? I am POSTing to the same domain, using SSL, yet the secure cookie is not available to the exchange.php script.
Update:
I am now echoing out the $_SERVER values on the exchange.php page as well, and interestingly I get the following:
Array
(
[HTTPS] => on
[HTTP_COOKIE] => __utma=xxxx; __utmc=xxxx; __utmz=xxxx; linkedin_oauth_YYYY=yyyy; PHPSESSID=xxxx; __utmb=xxxx
)
So the cookie is getting passed, but not set in the $_COOKIE variable? FYI, running PHP 5.3.3.
Figured this out – on the server that I am running the above code, I have Suhosin installed and it was limiting both request and cookie indices to a max length of 64 characters – which the full un-obsfuscated linkedin_oauth_YYYY cookie index was longer than. Here are the changes I made to php.ini: