Reply to Re: sessions - with or without cookies

Your name:

Reply:


Posted by Chuck Anderson on 06/09/07 05:09

Schraalhans Keukenmeester wrote:
> At Thu, 07 Jun 2007 21:12:26 -0600, Chuck Anderson let h(is|er) monkeys
> type:
>
>
>> I've instituted a sessions based scheme on my web site to combat hot
>> linking to my images. When someone requests a page at my site, I set a
>> session variable. I then use htaccess to redirect *all* image requests
>> to a Php script that checks for that variable before simply delivering
>> the image. Direct links to my images will fail this test and no image
>> is served.
>>
>> I am monitoring my script by sending emails to myself and finding that
>> this session variable is sometimes not set for what appear to be real
>> visitors to my pages (my page is the HTTP_REFERER ).
>>
>> My first thought was that people were spoofing the referrer to look like
>> a request from my page (which I figured would have to be very - even
>> extremely - rare). On another hunch, I tried disabling cookies in my
>> browser and I got the same result. There is no session variable.
>>
>> On my shared server:
>> session.use_cookies = On
>> session.use_only_cookies = Off
>> session.use_trans_sid = 0
>>
>> I thought this meant that if a visitor has cookies disabled, the server
>> would send the session ID in the headers somehow (vague as my
>> understanding of this is), but I am not finding that to be the case.
>> There are several visitors every day that appear to be at my site, but
>> no session var has been set (so my script does not serve the images -
>> d'oh!).
>>
>> I tried setting use_trans_sid, but I agree with the warning at Php.net
>> (that people will bookmark or email the URL with the session ID in it).
>> And I'd really rather not tack PHPSESSID=nnnnnnnnnnnnnnnnnnn onto URLs
>> .... .... and .... ..... that didn't even work anyway (??).
>>
>> Am I mistaken? I thought I could use sessions with visitors regardless
>> of their cookie settings.
>>
>> Is there a way to insure that every visitor to my pages will, indeed,
>> return a session ID with further GET requests (for the images)?
>>
>
> Alas, not much help, but I have had a similar experience with a sessions
> based guestbook script refusing valid messages for lack of the proper
> session var being set.
>
> Behaviour seemed too random (different browsers, addresses, times, cookies
> on/off) to pinpoint exactly what caused it. Pressed for a timely solution
> I then reverted to captcha usage and haven't done any more research since.
>
> I've dealt with image/multimedia hotlinking issues solely via .htaccess
>
> RewriteEngine on
> RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?mydomain\.com [NC]
> RewriteRule .*\.(jpe?g|gif|bmp|png|swf|wmv|mpe?g|avi)$ siteinfo.png [L]
>
>
>

I am seeing very definite results when I test from my own browser. With
cookies enabled, the session var is always set.

However, if I disable cookies, what happens is this (as it appears to
me). When I enter the page (with image(s) in it), I call start_session
and set my var. When the image requests are redirected (via htaccess) to
the image server script, each call to start_session (one for every image
on the page) creates a new session (empty sessions). This makes sense,
as my browser is not sending a cookie telling the server a session is in
use. Based on that, I tried setting session.use_trans_sid, but that did
not change anything (which seems puzzling).

I have to enable cookies to pass the session_id from my browser to the
server (??).

I've also changed session.save_path to a directory in my home path
(above my web space). This makes it easier for me to track what's
happening, but has not changed anything.

I've been reading (at php.net) about using session_write_close():
http://us2.php.net/manual/en/ref.session.php#62486
http://us2.php.net/manual/en/ref.session.php#64525

.... but using that has not helped, either. Besides, I don't think it's
relevant. The first reference has to do with using header redirect
(which I'm not doing) and the second is about locking a session file in
case concurrent page load tries to write to it.

I think use_trans_sid could be the key .... but use_trans_sid does not
seem to be working.

Now, though, it's time for the pub where I can let my my mind wander in
a more relaxed state. Maybe I'll stumble upon some insight. ô¿Ô¬ (I do
some of my best thinking while staring mindlessly at beer taps and
swilling pints.)

--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*****************************

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация