|
|
Posted by Chuck Anderson on 06/08/07 03:12
I've instituted a sessions based scheme on my web site to combat hot
linking to my images. When someone requests a page at my site, I set a
session variable. I then use htaccess to redirect *all* image requests
to a Php script that checks for that variable before simply delivering
the image. Direct links to my images will fail this test and no image
is served.
I am monitoring my script by sending emails to myself and finding that
this session variable is sometimes not set for what appear to be real
visitors to my pages (my page is the HTTP_REFERER ).
My first thought was that people were spoofing the referrer to look like
a request from my page (which I figured would have to be very - even
extremely - rare). On another hunch, I tried disabling cookies in my
browser and I got the same result. There is no session variable.
On my shared server:
session.use_cookies = On
session.use_only_cookies = Off
session.use_trans_sid = 0
I thought this meant that if a visitor has cookies disabled, the server
would send the session ID in the headers somehow (vague as my
understanding of this is), but I am not finding that to be the case.
There are several visitors every day that appear to be at my site, but
no session var has been set (so my script does not serve the images -
d'oh!).
I tried setting use_trans_sid, but I agree with the warning at Php.net
(that people will bookmark or email the URL with the session ID in it).
And I'd really rather not tack PHPSESSID=nnnnnnnnnnnnnnnnnnn onto URLs
..... .... and .... ..... that didn't even work anyway (??).
Am I mistaken? I thought I could use sessions with visitors regardless
of their cookie settings.
Is there a way to insure that every visitor to my pages will, indeed,
return a session ID with further GET requests (for the images)?
--
*****************************
Chuck Anderson • Boulder, CO
*****************************
Navigation:
[Reply to this message]
|