|
|
Posted by Chuck Anderson on 06/09/07 05:39
Denis Gerina wrote:
> Chuck Anderson wrote:
>
>> I've instituted a sessions based scheme on my web site to combat hot
>> linking to my images. When someone requests a page at my site, I set a
>> session variable. I then use htaccess to redirect *all* image requests
>> to a Php script that checks for that variable before simply delivering
>> the image. Direct links to my images will fail this test and no image
>> is served.
>>
>> I am monitoring my script by sending emails to myself and finding that
>> this session variable is sometimes not set for what appear to be real
>> visitors to my pages (my page is the HTTP_REFERER ).
>>
>> My first thought was that people were spoofing the referrer to look like
>> a request from my page (which I figured would have to be very - even
>> extremely - rare). On another hunch, I tried disabling cookies in my
>> browser and I got the same result. There is no session variable.
>>
>> On my shared server:
>> session.use_cookies = On
>> session.use_only_cookies = Off
>> session.use_trans_sid = 0
>>
>> I thought this meant that if a visitor has cookies disabled, the server
>> would send the session ID in the headers somehow (vague as my
>> understanding of this is), but I am not finding that to be the case.
>> There are several visitors every day that appear to be at my site, but
>> no session var has been set (so my script does not serve the images -
>> d'oh!).
>>
>> I tried setting use_trans_sid, but I agree with the warning at Php.net
>> (that people will bookmark or email the URL with the session ID in it).
>> And I'd really rather not tack PHPSESSID=nnnnnnnnnnnnnnnnnnn onto URLs
>> .... .... and .... ..... that didn't even work anyway (??).
>>
>> Am I mistaken? I thought I could use sessions with visitors regardless
>> of their cookie settings.
>>
>> Is there a way to insure that every visitor to my pages will, indeed,
>> return a session ID with further GET requests (for the images)?
>>
>>
>
> AFAIK, there are 2 methods of propagating PHPSESSID, and those are
> cookies and the url. I don't know of a third mechanism, but if someone
> does please share it with us. :)
>
> To enable both methods, you'd have to have
>
> session.use_cookies = On
> session.use_only_cookies = Off
> session.use_trans_sid = 1
>
> This setting would mean PHP would try to use cookies, and if those are
> not available (disabled), it would automatically rewrite all the links
> in the page adding ?PHPSESSID=... at the end.
>
> However, and I've just tested this, PHP would not (at least by default)
> rewrite the SRC attribute of IMG tag, unlike the HREF attribute of the A
> tag which it does rewrite. That would mean, even if your PHP that does
> the checking was able to get the paramaters passed through the image
> url, it would not receive the PHPSESSID and thus would not be able to
> access the session data for clients with cookies disabled.
>
>
>
> I suggest the following. Write a couple of simple PHP pages like this
>
>
> test1.php
> *****************
> <?php
> session_start();
>
> $_SESSION["visited"] = 1; //or whatever your flag variable is called
> ?>
>
> Click <a href="test2.php">here</a> to go to test2!
> *****************
>
>
>
> test2.php
>
> *****************
> <?php
> session_start();
> ?>
>
> This is a <a href="page2.php">link!</a>
> <br />
> This is an image without sessid<br /><br />
> <img src="image1.jpg">
> This is an image with sessid<br /><br />
> <img src="image1.jpg?PHPSESSID=<?php echo session_id(); ?>">
> *****************
>
> Disable cookies in your browser, go to test.php page, click the link to
> go to test2.php and tell us what you see.
>
>
A worthy test. I'll try some simple scripts like that .... later (it's
late).
I think I need to go back and read this again, too:
http://nedmartin.org/site/hotlink-prevention
..... He actually comes to the conclusion that cookies must be enabled.
I think I may have hit a road block in my plan.
--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*****************************
Navigation:
[Reply to this message]
|