Mainly my problem is that when I make a request with cURL including session cookie with random value the modx session starts with the value of that cookie. Which is confusing me a lot.
modx session and cookie config:
anonymous_sessions: Yes
default_username: (anonymous)
session_cookie_httponly: Yes
session_cookie_secure: Yes
session_handler_class: [empty]
session_name: PHPSESSID
Example request:
curl -i -X GET "https://www.example.com/test-page" -b "PHPSESSID=adventure-time" -v
Request headers:
> GET /test-page HTTP/2
> Host: www.example.com
> User-Agent: curl/8.1.2
> Accept: */*
> Cookie: PHPSESSID=adventure-time
>
Response headers:
< HTTP/2 200
< date: Fri, 17 Nov 2023 09:58:21 GMT
< server: Apache
< expires: 0
< cache-control: no-store, no-cache, must-revalidate
< pragma: no-cache
< set-cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly
< vary: Accept-Encoding
< content-length: 1636
< content-type: text/html; charset=UTF-8
Php response:
$_COOKIE['PHPSESSID']: adventure-time
session_id(): adventure-time
session_id() == $_COOKIE['PHPSESSID']: access granted
Isn't this wrong behaviour or I do not understand how php sessions should work? Could someone shed some light, please...