Many PHP applications I've worked with handled authentication via sessions and provided some sort of REST API. In case server-side rendering is not sufficient some components were implemented via a frontend framework (something like Vue or React) which consumed this API to provide a better and more fluent user experience. Think of something like an administration backend where most things (like list of users, settings, ...) can be simply rendered on the server while some parts your dashboard might be a bit more "interactive" data (like showing revenue for a configurable period of time) where data has to be reloaded on a specific action (e.g. adjusting the period).

These kinds of APIs are just consumed by your administration backend which already where authentication is already handled via PHP sessions. The fact that you can't consume these queries without being logged in with your browser is most likely enough.

But when your API expects a body, specific headers or you simply want to test out your REST API without a browser it can get a bit tricky. That's where things like Postman or even cURL might come in handy - the only thing you need to know to use these things is how to successfully login without ever seeing a login form.

How does authentication work?

Before getting to the point let's take a brief look at how authentication works for PHP applications: most of the time when entering a PHP application you'll receive a session id (which is basically just a random string like 3sbk8cu0947mt2allfkqnuivcd) which is used by PHP to identify you; the session ID is saved on the server and in your browser (most likely in a cookie) which then will be sent to the server for every request. For every request PHP now checks if this session ID is known and - in case it is - is able to identify you by it.


Authenticating via tools like cURL or Postman can be done by the exact way your browser does it: send your session ID to the server so it's able to identify you.

So what we're going to need is the value of our session ID. This can easily be retrieved by simply logging into your application in your browser, open the developer tools (ctrl+shift+i in Chrome and Firefox), head over to the "Network" tab and find your current page. There you've got a "Cookies" tab which will show the value of your session ID with the name PHPSESSID.

Right click on this cookie to copy its value and we're good to go!

With cURL

Sending a cookie with cURL is pretty easy:

curl --cookie "PHPSESSID=<your session id>" https://<your api>

And that's it. As long as your session ID is valid you'll no longer receive access issues and can now happily spam your API via cURL.

With Postman

It works the same in Postman (and in every other tool out there); look for the "Cookies" button in your "Params" box in Postman:

The most beautiful red arrow you'll ever see.

Add a new cookie for your site with the following value:

PHPSESSID=<your session id>; path=/; domain=.<your domain>; Expires=Tue, 19 Jan 2038 03:14:07 GMT;

So everything should look like this:


Your session ID will now be sent to your server via Postman and as long it is valid you shouldn't retrieve any authentication errors.