I’m having an issue accessing raw request information from PHP when accessing a script using the HTTP DELETE directive. I’m using a JS front end which is accessing a script using Ajax. This script is actually part of a RESTful API which I am developing.
The endpoint in this example is:
This endpoint is used to generate an authentication token which can be used for subsequent API requests. Using the GET method on this URL along with a modified version of HTTP Basic Authentication will provide an access token for the client. This token must then be included in all other interactions with the service until it expires.
Once a token is generated, it is passed back to the client in a format specified by an ‘Accept’ header which the client sends the service; in this case ‘application/json’. Upon success it responds with an HTTP 200 Ok status code. Upon failure, it throws an exception using the HTTP 401 Authorization Required code.
Now, when you want to delete a session, or ‘log out’, you hit the same URL, but with the HTTP DELETE directive. To verify access to this endpoint, the client must prove they were previously authenticated by providing the token they want to terminate.
If they are ‘logged in’, the token and session are terminated and the service should respond with the HTTP 204 No Content status code, otherwise, they are greeted with the 401 exception again.
Now, the problem I’m having is with removing sessions. With the DELETE directive, using Ajax, I can’t seem to access any parameters I’ve set once the request hits the service. In this case, I’m looking for the parameter entitled ‘token’.
I look at the raw request headers using Firebug and I notice the ‘Content-Length’ header changes with the size of the token being sent. This is telling me that this data is indeed being sent to the server.
The question is, using PHP, how the hell to I access parameter information? It’s not a POST or GET request, so I can’t access it as you normally would in PHP. The parameters are within the content portion of the request.
I’ve tried looking in $_SERVER, but that shows me limited amount of headers. I tried ‘apache_request_headers()’, which gives me more detailed information, but still, only for headers. I even tried ‘file_get_contents(‘php://stdin’);’ and I get nothing.
How can I access the content portion of a raw HTTP request?
Sorry for the lengthy post, but I figured too much information is better than too little. 🙂
I think you’re misusing HTTP DELETE. It should normally be used as a request to delete a resource on the server: the resource pointed to by the request URI. You could encode your access token as a query parameter, but that’s not how DELETE should be used. e.g, a request of:
SHOULD be treated as a request to delete the ‘somescript.php’ file from the server.
You should rewrite your system to use a POST request, which is the usual method of doing such things. The POST handler script can delete the session and reply with the appropriate headers to unset any cookies you might have created.