Posted by Chuck Anderson on 06/16/07 21:03

Chuck Anderson wrote:
> Michael Fesser wrote:
>
>> .oO(Chuck Anderson)
>>
>>
>>
>>> I am seeing very definite results when I test from my own browser. With
>>> cookies enabled, the session var is always set.
>>>
>>> However, if I disable cookies, what happens is this (as it appears to
>>> me). When I enter the page (with image(s) in it), I call start_session
>>> and set my var. When the image requests are redirected (via htaccess) to
>>> the image server script, each call to start_session (one for every image
>>> on the page) creates a new session (empty sessions).
>>>
>>>
>> Correct, because by default PHP doesn't rewrite <img> tags when
>> session.use_trans_sid is enabled.
>>
>>
>>
>>> This makes sense,
>>> as my browser is not sending a cookie telling the server a session is in
>>> use. Based on that, I tried setting session.use_trans_sid, but that did
>>> not change anything (which seems puzzling).
>>>
>>>
>> Have a look at url_rewriter.tags and adjust it as required.
>>
>> Micha
>>
>>
>
> Nice! Thanks for that. That could be just what I'm looking for. I'll
> have to experiment with it later (but for now I've .... places to go,
> .... people to see, .... things to do ....)
>
> I'll post back my results.
>
>

Okay, ... this is all pretty much in a finalized state. I do have one
question, though (I'll get to later).

(This is all about hotlinking protection using sessions - see previous
posts).

1. Since many of my pages are old (plain html), I've added a redirect
in htaccess (per directory, as I want to) to send .html requests to a
php script.

2. In that script I set session.use_trans_sid to 1 (On) and set
url_rewriter.tags to "img=src" (and only that) in case the visitor has
cookies disabled (if cookies are disabled, image request URLs include
the session ID). Then it starts a session, sets a variable, verifies
the request html file is valid, and includes that file (otherwise 404).

If the file containing the images is a Php file, I include the above in
the top of the php file.

3. In the same htaccess file (Step 1.) I redirect all image requests
(where referrer does not begin with my domain) to an image serving
script. When an image is requested, if the session var is set, I
deliver the image, otherwise I do "something else" (many options here,
but ultimately a simple ....
header("HTTP/1.1 404 Not Found"); exit;
..... is all that's needed).

After many trials, and now in this final state, the scripts seem to be
doing the job quite well. It appears that all visitors to my site can
see images (I am monitoring the results).

Here is my question, though. In the case where the visitor has disabled
cookies, my image serving script has to detect the session ID in the
$_GET array, extract it (if it is there) and set the session_id with
that value before I call start_session. The session functions do not
automatically detect it and use it (as I thought it would/should?). I
have to do that in my script. It was my impression that the session
functions would do that automatically with use_trans_sid.

--
*****************************
Chuck Anderson • Boulder, CO
*****************************

[Back to original message]