sessions - with or without cookies

Re: sessions - with or without cookies

At Thu, 07 Jun 2007 21:12:26 -0600, Chuck Anderson let h(is|er) monkeys
type:
Alas, not much help, but I have had a similar experience with a sessions
based guestbook script refusing valid messages for lack of the proper
session var being set.

Behaviour seemed too random (different browsers, addresses, times, cookies
on/off) to pinpoint exactly what caused it. Pressed for a timely solution
I then reverted to captcha usage and haven't done any more research since.

I've dealt with image/multimedia hotlinking issues solely via .htaccess

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?mydomain\. com [NC]
RewriteRule .*\.(jpe?g|gif| bmp|png|swf|wmv |mpe?g|avi)$ siteinfo.png [L]


--
Schraalhans Keukenmeester - schraalhans@the .Spamtrapexampl e.nl
[Remove the lowercase part of Spamtrap to send me a message]

"strcmp('apples ','oranges') < 0"

Re: sessions - with or without cookies

Chuck Anderson wrote:AFAIK, there are 2 methods of propagating PHPSESSID, and those are
cookies and the url. I don't know of a third mechanism, but if someone
does please share it with us. :)

To enable both methods, you'd have to have

session.use_coo kies = On
session.use_onl y_cookies = Off
session.use_tra ns_sid = 1

This setting would mean PHP would try to use cookies, and if those are
not available (disabled), it would automatically rewrite all the links
in the page adding ?PHPSESSID=... at the end.

However, and I've just tested this, PHP would not (at least by default)
rewrite the SRC attribute of IMG tag, unlike the HREF attribute of the A
tag which it does rewrite. That would mean, even if your PHP that does
the checking was able to get the paramaters passed through the image
url, it would not receive the PHPSESSID and thus would not be able to
access the session data for clients with cookies disabled.



I suggest the following. Write a couple of simple PHP pages like this


test1.php
*************** **
<?php
session_start() ;

$_SESSION["visited"] = 1; //or whatever your flag variable is called
?>

Click <a href="test2.php ">here</ato go to test2!
*************** **



test2.php

*************** **
<?php
session_start() ;
?>

This is a <a href="page2.php ">link!</a>
<br />
This is an image without sessid<br /><br />
<img src="image1.jpg ">
This is an image with sessid<br /><br />
<img src="image1.jpg ?PHPSESSID=<?ph p echo session_id(); ?>">
*************** **

Disable cookies in your browser, go to test.php page, click the link to
go to test2.php and tell us what you see.

Re: sessions - with or without cookies


That would mean, even if your PHP that does the checking was able to get
the paramaters passed through the image url...
************


I'll stress this. I haven't experimented much with .htaccess beyond
basic access control so I'm not really sure how that redirect works and
what is being passed to your php script that checks the session flag
variable and what isn't.

Re: sessions - with or without cookies

Schraalhans Keukenmeester wrote:I am seeing very definite results when I test from my own browser. With
cookies enabled, the session var is always set.

However, if I disable cookies, what happens is this (as it appears to
me). When I enter the page (with image(s) in it), I call start_session
and set my var. When the image requests are redirected (via htaccess) to
the image server script, each call to start_session (one for every image
on the page) creates a new session (empty sessions). This makes sense,
as my browser is not sending a cookie telling the server a session is in
use. Based on that, I tried setting session.use_tra ns_sid, but that did
not change anything (which seems puzzling).

I have to enable cookies to pass the session_id from my browser to the
server (??).

I've also changed session.save_pa th to a directory in my home path
(above my web space). This makes it easier for me to track what's
happening, but has not changed anything.

I've been reading (at php.net) about using session_write_c lose():



.... but using that has not helped, either. Besides, I don't think it's
relevant. The first reference has to do with using header redirect
(which I'm not doing) and the second is about locking a session file in
case concurrent page load tries to write to it.

I think use_trans_sid could be the key .... but use_trans_sid does not
seem to be working.

Now, though, it's time for the pub where I can let my my mind wander in
a more relaxed state. Maybe I'll stumble upon some insight. ô¿Ô¬ (I do
some of my best thinking while staring mindlessly at beer taps and
swilling pints.)

--
*************** **************
Chuck Anderson • Boulder, CO

*************** **************

Re: sessions - with or without cookies

Denis Gerina wrote:A worthy test. I'll try some simple scripts like that .... later (it's
late).

I think I need to go back and read this again, too:


..... He actually comes to the conclusion that cookies must be enabled.

I think I may have hit a road block in my plan.

--
*************** **************
Chuck Anderson • Boulder, CO

*************** **************

Re: sessions - with or without cookies

..oO(Chuck Anderson)
Correct, because by default PHP doesn't rewrite <imgtags when
session.use_tra ns_sid is enabled.
Have a look at url_rewriter.ta gs and adjust it as required.

Micha

Re: sessions - with or without cookies

Michael Fesser wrote:Nice! Thanks for that. That could be just what I'm looking for. I'll
have to experiment with it later (but for now I've .... places to go,
..... people to see, .... things to do ....)

I'll post back my results.

--
*************** **************
Chuck Anderson • Boulder, CO

*************** **************

Re: sessions - with or without cookies

Chuck Anderson wrote:Okay, ... this is all pretty much in a finalized state. I do have one
question, though (I'll get to later).

(This is all about hotlinking protection using sessions - see previous
posts).

1. Since many of my pages are old (plain html), I've added a redirect
in htaccess (per directory, as I want to) to send .html requests to a
php script.

2. In that script I set session.use_tra ns_sid to 1 (On) and set
url_rewriter.ta gs to "img=src" (and only that) in case the visitor has
cookies disabled (if cookies are disabled, image request URLs include
the session ID). Then it starts a session, sets a variable, verifies
the request html file is valid, and includes that file (otherwise 404).

If the file containing the images is a Php file, I include the above in
the top of the php file.

3. In the same htaccess file (Step 1.) I redirect all image requests
(where referrer does not begin with my domain) to an image serving
script. When an image is requested, if the session var is set, I
deliver the image, otherwise I do "something else" (many options here,
but ultimately a simple ....
header("HTTP/1.1 404 Not Found"); exit;
..... is all that's needed).

After many trials, and now in this final state, the scripts seem to be
doing the job quite well. It appears that all visitors to my site can
see images (I am monitoring the results).

Here is my question, though. In the case where the visitor has disabled
cookies, my image serving script has to detect the session ID in the
$_GET array, extract it (if it is there) and set the session_id with
that value before I call start_session. The session functions do not
automatically detect it and use it (as I thought it would/should?). I
have to do that in my script. It was my impression that the session
functions would do that automatically with use_trans_sid.

--
*************** **************
Chuck Anderson • Boulder, CO
*************** **************