<?php
// Accepts JSON { user: "DOM\\user" } from same-origin JS and sets cookie
  header('Content-Type: application/json; charset=utf-8');

  $origin  = $_SERVER['HTTP_ORIGIN']  ?? '';
  $referer = $_SERVER['HTTP_REFERER'] ?? '';
  $allowed = 'https://opwsinf.appliarmony.net';
  $ok = false;
  if ($origin && stripos($origin, $allowed) === 0) $ok = true;
  if ($referer && stripos($referer, $allowed) === 0) $ok = true;
  if (!$ok) {
    http_response_code(403);
    echo json_encode(['error'=>'forbidden origin']);
    exit;
  }

  $raw = file_get_contents('php://input');
  $data = json_decode($raw, true);
  if (!is_array($data) || empty($data['user'])) {
    http_response_code(400);
    echo json_encode(['error'=>'invalid payload']);
    exit;
  }

  $user = $data['user'];
  $ip   = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] ?? '';

  $cookie = [
    'user'    => $user,
    'ip'      => $ip,
    'created' => date('Y-m-d H:i:s'),
    'last'    => date('Y-m-d H:i:s'),
  ];

// Cookie host-only (no Domain) ;
  setcookie('UserInfo', json_encode($cookie), [
    'expires'  => time() + 86400*365,
    'path'     => '/',
    // 'domain'   => '.appliarmony.net',
    'secure'   => true,
    'httponly' => true,
    'samesite' => 'Lax',
  ]);

  echo json_encode(['ok'=>true, 'user'=>$user]);