|
|
Posted by Denis Gerina on 06/08/07 20:09
Chuck Anderson wrote:
> I've instituted a sessions based scheme on my web site to combat hot
> linking to my images. When someone requests a page at my site, I set a
> session variable. I then use htaccess to redirect *all* image requests
> to a Php script that checks for that variable before simply delivering
> the image. Direct links to my images will fail this test and no image
> is served.
>
> I am monitoring my script by sending emails to myself and finding that
> this session variable is sometimes not set for what appear to be real
> visitors to my pages (my page is the HTTP_REFERER ).
>
> My first thought was that people were spoofing the referrer to look like
> a request from my page (which I figured would have to be very - even
> extremely - rare). On another hunch, I tried disabling cookies in my
> browser and I got the same result. There is no session variable.
>
> On my shared server:
> session.use_cookies = On
> session.use_only_cookies = Off
> session.use_trans_sid = 0
>
> I thought this meant that if a visitor has cookies disabled, the server
> would send the session ID in the headers somehow (vague as my
> understanding of this is), but I am not finding that to be the case.
> There are several visitors every day that appear to be at my site, but
> no session var has been set (so my script does not serve the images -
> d'oh!).
>
> I tried setting use_trans_sid, but I agree with the warning at Php.net
> (that people will bookmark or email the URL with the session ID in it).
> And I'd really rather not tack PHPSESSID=nnnnnnnnnnnnnnnnnnn onto URLs
> .... .... and .... ..... that didn't even work anyway (??).
>
> Am I mistaken? I thought I could use sessions with visitors regardless
> of their cookie settings.
>
> Is there a way to insure that every visitor to my pages will, indeed,
> return a session ID with further GET requests (for the images)?
>
AFAIK, there are 2 methods of propagating PHPSESSID, and those are
cookies and the url. I don't know of a third mechanism, but if someone
does please share it with us. :)
To enable both methods, you'd have to have
session.use_cookies = On
session.use_only_cookies = Off
session.use_trans_sid = 1
This setting would mean PHP would try to use cookies, and if those are
not available (disabled), it would automatically rewrite all the links
in the page adding ?PHPSESSID=... at the end.
However, and I've just tested this, PHP would not (at least by default)
rewrite the SRC attribute of IMG tag, unlike the HREF attribute of the A
tag which it does rewrite. That would mean, even if your PHP that does
the checking was able to get the paramaters passed through the image
url, it would not receive the PHPSESSID and thus would not be able to
access the session data for clients with cookies disabled.
I suggest the following. Write a couple of simple PHP pages like this
test1.php
*****************
<?php
session_start();
$_SESSION["visited"] = 1; //or whatever your flag variable is called
?>
Click <a href="test2.php">here</a> to go to test2!
*****************
test2.php
*****************
<?php
session_start();
?>
This is a <a href="page2.php">link!</a>
<br />
This is an image without sessid<br /><br />
<img src="image1.jpg">
This is an image with sessid<br /><br />
<img src="image1.jpg?PHPSESSID=<?php echo session_id(); ?>">
*****************
Disable cookies in your browser, go to test.php page, click the link to
go to test2.php and tell us what you see.
Navigation:
[Reply to this message]
|