|
|
Posted by Schraalhans Keukenmeester on 06/08/07 12:19
At Thu, 07 Jun 2007 21:12:26 -0600, Chuck Anderson let h(is|er) monkeys
type:
> I've instituted a sessions based scheme on my web site to combat hot
> linking to my images. When someone requests a page at my site, I set a
> session variable. I then use htaccess to redirect *all* image requests
> to a Php script that checks for that variable before simply delivering
> the image. Direct links to my images will fail this test and no image
> is served.
>
> I am monitoring my script by sending emails to myself and finding that
> this session variable is sometimes not set for what appear to be real
> visitors to my pages (my page is the HTTP_REFERER ).
>
> My first thought was that people were spoofing the referrer to look like
> a request from my page (which I figured would have to be very - even
> extremely - rare). On another hunch, I tried disabling cookies in my
> browser and I got the same result. There is no session variable.
>
> On my shared server:
> session.use_cookies = On
> session.use_only_cookies = Off
> session.use_trans_sid = 0
>
> I thought this meant that if a visitor has cookies disabled, the server
> would send the session ID in the headers somehow (vague as my
> understanding of this is), but I am not finding that to be the case.
> There are several visitors every day that appear to be at my site, but
> no session var has been set (so my script does not serve the images -
> d'oh!).
>
> I tried setting use_trans_sid, but I agree with the warning at Php.net
> (that people will bookmark or email the URL with the session ID in it).
> And I'd really rather not tack PHPSESSID=nnnnnnnnnnnnnnnnnnn onto URLs
> .... .... and .... ..... that didn't even work anyway (??).
>
> Am I mistaken? I thought I could use sessions with visitors regardless
> of their cookie settings.
>
> Is there a way to insure that every visitor to my pages will, indeed,
> return a session ID with further GET requests (for the images)?
Alas, not much help, but I have had a similar experience with a sessions
based guestbook script refusing valid messages for lack of the proper
session var being set.
Behaviour seemed too random (different browsers, addresses, times, cookies
on/off) to pinpoint exactly what caused it. Pressed for a timely solution
I then reverted to captcha usage and haven't done any more research since.
I've dealt with image/multimedia hotlinking issues solely via .htaccess
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?mydomain\.com [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png|swf|wmv|mpe?g|avi)$ siteinfo.png [L]
--
Schraalhans Keukenmeester - schraalhans@the.Spamtrapexample.nl
[Remove the lowercase part of Spamtrap to send me a message]
"strcmp('apples','oranges') < 0"
Navigation:
[Reply to this message]
|