By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,495 Members | 1,252 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,495 IT Pros & Developers. It's quick & easy.

sessions - with or without cookies

P: n/a
I've instituted a sessions based scheme on my web site to combat hot
linking to my images. When someone requests a page at my site, I set a
session variable. I then use htaccess to redirect *all* image requests
to a Php script that checks for that variable before simply delivering
the image. Direct links to my images will fail this test and no image
is served.

I am monitoring my script by sending emails to myself and finding that
this session variable is sometimes not set for what appear to be real
visitors to my pages (my page is the HTTP_REFERER ).

My first thought was that people were spoofing the referrer to look like
a request from my page (which I figured would have to be very - even
extremely - rare). On another hunch, I tried disabling cookies in my
browser and I got the same result. There is no session variable.

On my shared server:
session.use_cookies = On
session.use_only_cookies = Off
session.use_trans_sid = 0

I thought this meant that if a visitor has cookies disabled, the server
would send the session ID in the headers somehow (vague as my
understanding of this is), but I am not finding that to be the case.
There are several visitors every day that appear to be at my site, but
no session var has been set (so my script does not serve the images -
d'oh!).

I tried setting use_trans_sid, but I agree with the warning at Php.net
(that people will bookmark or email the URL with the session ID in it).
And I'd really rather not tack PHPSESSID=nnnnnnnnnnnnnnnnnnn onto URLs
..... .... and .... ..... that didn't even work anyway (??).

Am I mistaken? I thought I could use sessions with visitors regardless
of their cookie settings.

Is there a way to insure that every visitor to my pages will, indeed,
return a session ID with further GET requests (for the images)?

--
*****************************
Chuck Anderson • Boulder, CO
*****************************
Jun 8 '07 #1
Share this Question
Share on Google+
8 Replies


P: n/a
At Thu, 07 Jun 2007 21:12:26 -0600, Chuck Anderson let h(is|er) monkeys
type:
I've instituted a sessions based scheme on my web site to combat hot
linking to my images. When someone requests a page at my site, I set a
session variable. I then use htaccess to redirect *all* image requests
to a Php script that checks for that variable before simply delivering
the image. Direct links to my images will fail this test and no image
is served.

I am monitoring my script by sending emails to myself and finding that
this session variable is sometimes not set for what appear to be real
visitors to my pages (my page is the HTTP_REFERER ).

My first thought was that people were spoofing the referrer to look like
a request from my page (which I figured would have to be very - even
extremely - rare). On another hunch, I tried disabling cookies in my
browser and I got the same result. There is no session variable.

On my shared server:
session.use_cookies = On
session.use_only_cookies = Off
session.use_trans_sid = 0

I thought this meant that if a visitor has cookies disabled, the server
would send the session ID in the headers somehow (vague as my
understanding of this is), but I am not finding that to be the case.
There are several visitors every day that appear to be at my site, but
no session var has been set (so my script does not serve the images -
d'oh!).

I tried setting use_trans_sid, but I agree with the warning at Php.net
(that people will bookmark or email the URL with the session ID in it).
And I'd really rather not tack PHPSESSID=nnnnnnnnnnnnnnnnnnn onto URLs
.... .... and .... ..... that didn't even work anyway (??).

Am I mistaken? I thought I could use sessions with visitors regardless
of their cookie settings.

Is there a way to insure that every visitor to my pages will, indeed,
return a session ID with further GET requests (for the images)?
Alas, not much help, but I have had a similar experience with a sessions
based guestbook script refusing valid messages for lack of the proper
session var being set.

Behaviour seemed too random (different browsers, addresses, times, cookies
on/off) to pinpoint exactly what caused it. Pressed for a timely solution
I then reverted to captcha usage and haven't done any more research since.

I've dealt with image/multimedia hotlinking issues solely via .htaccess

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?mydomain\.com [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png|swf|wmv|mpe?g|avi)$ siteinfo.png [L]
--
Schraalhans Keukenmeester - sc*********@the.Spamtrapexample.nl
[Remove the lowercase part of Spamtrap to send me a message]

"strcmp('apples','oranges') < 0"

Jun 8 '07 #2

P: n/a
Chuck Anderson wrote:
I've instituted a sessions based scheme on my web site to combat hot
linking to my images. When someone requests a page at my site, I set a
session variable. I then use htaccess to redirect *all* image requests
to a Php script that checks for that variable before simply delivering
the image. Direct links to my images will fail this test and no image
is served.

I am monitoring my script by sending emails to myself and finding that
this session variable is sometimes not set for what appear to be real
visitors to my pages (my page is the HTTP_REFERER ).

My first thought was that people were spoofing the referrer to look like
a request from my page (which I figured would have to be very - even
extremely - rare). On another hunch, I tried disabling cookies in my
browser and I got the same result. There is no session variable.

On my shared server:
session.use_cookies = On
session.use_only_cookies = Off
session.use_trans_sid = 0

I thought this meant that if a visitor has cookies disabled, the server
would send the session ID in the headers somehow (vague as my
understanding of this is), but I am not finding that to be the case.
There are several visitors every day that appear to be at my site, but
no session var has been set (so my script does not serve the images -
d'oh!).

I tried setting use_trans_sid, but I agree with the warning at Php.net
(that people will bookmark or email the URL with the session ID in it).
And I'd really rather not tack PHPSESSID=nnnnnnnnnnnnnnnnnnn onto URLs
.... .... and .... ..... that didn't even work anyway (??).

Am I mistaken? I thought I could use sessions with visitors regardless
of their cookie settings.

Is there a way to insure that every visitor to my pages will, indeed,
return a session ID with further GET requests (for the images)?
AFAIK, there are 2 methods of propagating PHPSESSID, and those are
cookies and the url. I don't know of a third mechanism, but if someone
does please share it with us. :)

To enable both methods, you'd have to have

session.use_cookies = On
session.use_only_cookies = Off
session.use_trans_sid = 1

This setting would mean PHP would try to use cookies, and if those are
not available (disabled), it would automatically rewrite all the links
in the page adding ?PHPSESSID=... at the end.

However, and I've just tested this, PHP would not (at least by default)
rewrite the SRC attribute of IMG tag, unlike the HREF attribute of the A
tag which it does rewrite. That would mean, even if your PHP that does
the checking was able to get the paramaters passed through the image
url, it would not receive the PHPSESSID and thus would not be able to
access the session data for clients with cookies disabled.

I suggest the following. Write a couple of simple PHP pages like this
test1.php
*****************
<?php
session_start();

$_SESSION["visited"] = 1; //or whatever your flag variable is called
?>

Click <a href="test2.php">here</ato go to test2!
*****************

test2.php

*****************
<?php
session_start();
?>

This is a <a href="page2.php">link!</a>
<br />
This is an image without sessid<br /><br />
<img src="image1.jpg">
This is an image with sessid<br /><br />
<img src="image1.jpg?PHPSESSID=<?php echo session_id(); ?>">
*****************

Disable cookies in your browser, go to test.php page, click the link to
go to test2.php and tell us what you see.



Jun 8 '07 #3

P: n/a

That would mean, even if your PHP that does the checking was able to get
the paramaters passed through the image url...
************
I'll stress this. I haven't experimented much with .htaccess beyond
basic access control so I'm not really sure how that redirect works and
what is being passed to your php script that checks the session flag
variable and what isn't.

Jun 8 '07 #4

P: n/a
Schraalhans Keukenmeester wrote:
At Thu, 07 Jun 2007 21:12:26 -0600, Chuck Anderson let h(is|er) monkeys
type:

>I've instituted a sessions based scheme on my web site to combat hot
linking to my images. When someone requests a page at my site, I set a
session variable. I then use htaccess to redirect *all* image requests
to a Php script that checks for that variable before simply delivering
the image. Direct links to my images will fail this test and no image
is served.

I am monitoring my script by sending emails to myself and finding that
this session variable is sometimes not set for what appear to be real
visitors to my pages (my page is the HTTP_REFERER ).

My first thought was that people were spoofing the referrer to look like
a request from my page (which I figured would have to be very - even
extremely - rare). On another hunch, I tried disabling cookies in my
browser and I got the same result. There is no session variable.

On my shared server:
session.use_cookies = On
session.use_only_cookies = Off
session.use_trans_sid = 0

I thought this meant that if a visitor has cookies disabled, the server
would send the session ID in the headers somehow (vague as my
understanding of this is), but I am not finding that to be the case.
There are several visitors every day that appear to be at my site, but
no session var has been set (so my script does not serve the images -
d'oh!).

I tried setting use_trans_sid, but I agree with the warning at Php.net
(that people will bookmark or email the URL with the session ID in it).
And I'd really rather not tack PHPSESSID=nnnnnnnnnnnnnnnnnnn onto URLs
.... .... and .... ..... that didn't even work anyway (??).

Am I mistaken? I thought I could use sessions with visitors regardless
of their cookie settings.

Is there a way to insure that every visitor to my pages will, indeed,
return a session ID with further GET requests (for the images)?

Alas, not much help, but I have had a similar experience with a sessions
based guestbook script refusing valid messages for lack of the proper
session var being set.

Behaviour seemed too random (different browsers, addresses, times, cookies
on/off) to pinpoint exactly what caused it. Pressed for a timely solution
I then reverted to captcha usage and haven't done any more research since.

I've dealt with image/multimedia hotlinking issues solely via .htaccess

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?mydomain\.com [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png|swf|wmv|mpe?g|avi)$ siteinfo.png [L]
I am seeing very definite results when I test from my own browser. With
cookies enabled, the session var is always set.

However, if I disable cookies, what happens is this (as it appears to
me). When I enter the page (with image(s) in it), I call start_session
and set my var. When the image requests are redirected (via htaccess) to
the image server script, each call to start_session (one for every image
on the page) creates a new session (empty sessions). This makes sense,
as my browser is not sending a cookie telling the server a session is in
use. Based on that, I tried setting session.use_trans_sid, but that did
not change anything (which seems puzzling).

I have to enable cookies to pass the session_id from my browser to the
server (??).

I've also changed session.save_path to a directory in my home path
(above my web space). This makes it easier for me to track what's
happening, but has not changed anything.

I've been reading (at php.net) about using session_write_close():
http://us2.php.net/manual/en/ref.session.php#62486
http://us2.php.net/manual/en/ref.session.php#64525

.... but using that has not helped, either. Besides, I don't think it's
relevant. The first reference has to do with using header redirect
(which I'm not doing) and the second is about locking a session file in
case concurrent page load tries to write to it.

I think use_trans_sid could be the key .... but use_trans_sid does not
seem to be working.

Now, though, it's time for the pub where I can let my my mind wander in
a more relaxed state. Maybe I'll stumble upon some insight. Ԭ (I do
some of my best thinking while staring mindlessly at beer taps and
swilling pints.)

--
*****************************
Chuck Anderson Boulder, CO
http://www.CycleTourist.com
*****************************
Jun 9 '07 #5

P: n/a
Denis Gerina wrote:
Chuck Anderson wrote:
>I've instituted a sessions based scheme on my web site to combat hot
linking to my images. When someone requests a page at my site, I set a
session variable. I then use htaccess to redirect *all* image requests
to a Php script that checks for that variable before simply delivering
the image. Direct links to my images will fail this test and no image
is served.

I am monitoring my script by sending emails to myself and finding that
this session variable is sometimes not set for what appear to be real
visitors to my pages (my page is the HTTP_REFERER ).

My first thought was that people were spoofing the referrer to look like
a request from my page (which I figured would have to be very - even
extremely - rare). On another hunch, I tried disabling cookies in my
browser and I got the same result. There is no session variable.

On my shared server:
session.use_cookies = On
session.use_only_cookies = Off
session.use_trans_sid = 0

I thought this meant that if a visitor has cookies disabled, the server
would send the session ID in the headers somehow (vague as my
understanding of this is), but I am not finding that to be the case.
There are several visitors every day that appear to be at my site, but
no session var has been set (so my script does not serve the images -
d'oh!).

I tried setting use_trans_sid, but I agree with the warning at Php.net
(that people will bookmark or email the URL with the session ID in it).
And I'd really rather not tack PHPSESSID=nnnnnnnnnnnnnnnnnnn onto URLs
.... .... and .... ..... that didn't even work anyway (??).

Am I mistaken? I thought I could use sessions with visitors regardless
of their cookie settings.

Is there a way to insure that every visitor to my pages will, indeed,
return a session ID with further GET requests (for the images)?


AFAIK, there are 2 methods of propagating PHPSESSID, and those are
cookies and the url. I don't know of a third mechanism, but if someone
does please share it with us. :)

To enable both methods, you'd have to have

session.use_cookies = On
session.use_only_cookies = Off
session.use_trans_sid = 1

This setting would mean PHP would try to use cookies, and if those are
not available (disabled), it would automatically rewrite all the links
in the page adding ?PHPSESSID=... at the end.

However, and I've just tested this, PHP would not (at least by default)
rewrite the SRC attribute of IMG tag, unlike the HREF attribute of the A
tag which it does rewrite. That would mean, even if your PHP that does
the checking was able to get the paramaters passed through the image
url, it would not receive the PHPSESSID and thus would not be able to
access the session data for clients with cookies disabled.

I suggest the following. Write a couple of simple PHP pages like this
test1.php
*****************
<?php
session_start();

$_SESSION["visited"] = 1; //or whatever your flag variable is called
?>

Click <a href="test2.php">here</ato go to test2!
*****************

test2.php

*****************
<?php
session_start();
?>

This is a <a href="page2.php">link!</a>
<br />
This is an image without sessid<br /><br />
<img src="image1.jpg">
This is an image with sessid<br /><br />
<img src="image1.jpg?PHPSESSID=<?php echo session_id(); ?>">
*****************

Disable cookies in your browser, go to test.php page, click the link to
go to test2.php and tell us what you see.

A worthy test. I'll try some simple scripts like that .... later (it's
late).

I think I need to go back and read this again, too:
http://nedmartin.org/site/hotlink-prevention

..... He actually comes to the conclusion that cookies must be enabled.

I think I may have hit a road block in my plan.

--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*****************************
Jun 9 '07 #6

P: n/a
..oO(Chuck Anderson)
>I am seeing very definite results when I test from my own browser. With
cookies enabled, the session var is always set.

However, if I disable cookies, what happens is this (as it appears to
me). When I enter the page (with image(s) in it), I call start_session
and set my var. When the image requests are redirected (via htaccess) to
the image server script, each call to start_session (one for every image
on the page) creates a new session (empty sessions).
Correct, because by default PHP doesn't rewrite <imgtags when
session.use_trans_sid is enabled.
>This makes sense,
as my browser is not sending a cookie telling the server a session is in
use. Based on that, I tried setting session.use_trans_sid, but that did
not change anything (which seems puzzling).
Have a look at url_rewriter.tags and adjust it as required.

Micha
Jun 11 '07 #7

P: n/a
Michael Fesser wrote:
.oO(Chuck Anderson)

>I am seeing very definite results when I test from my own browser. With
cookies enabled, the session var is always set.

However, if I disable cookies, what happens is this (as it appears to
me). When I enter the page (with image(s) in it), I call start_session
and set my var. When the image requests are redirected (via htaccess) to
the image server script, each call to start_session (one for every image
on the page) creates a new session (empty sessions).

Correct, because by default PHP doesn't rewrite <imgtags when
session.use_trans_sid is enabled.

>This makes sense,
as my browser is not sending a cookie telling the server a session is in
use. Based on that, I tried setting session.use_trans_sid, but that did
not change anything (which seems puzzling).

Have a look at url_rewriter.tags and adjust it as required.

Micha
Nice! Thanks for that. That could be just what I'm looking for. I'll
have to experiment with it later (but for now I've .... places to go,
..... people to see, .... things to do ....)

I'll post back my results.

--
*****************************
Chuck Anderson Boulder, CO
http://www.CycleTourist.com
*****************************
Jun 11 '07 #8

P: n/a
Chuck Anderson wrote:
Michael Fesser wrote:
>.oO(Chuck Anderson)
>>I am seeing very definite results when I test from my own browser. With
cookies enabled, the session var is always set.

However, if I disable cookies, what happens is this (as it appears to
me). When I enter the page (with image(s) in it), I call start_session
and set my var. When the image requests are redirected (via htaccess) to
the image server script, each call to start_session (one for every image
on the page) creates a new session (empty sessions).

Correct, because by default PHP doesn't rewrite <imgtags when
session.use_trans_sid is enabled.
>>This makes sense,
as my browser is not sending a cookie telling the server a session is in
use. Based on that, I tried setting session.use_trans_sid, but that did
not change anything (which seems puzzling).

Have a look at url_rewriter.tags and adjust it as required.

Micha


Nice! Thanks for that. That could be just what I'm looking for. I'll
have to experiment with it later (but for now I've .... places to go,
.... people to see, .... things to do ....)

I'll post back my results.

Okay, ... this is all pretty much in a finalized state. I do have one
question, though (I'll get to later).

(This is all about hotlinking protection using sessions - see previous
posts).

1. Since many of my pages are old (plain html), I've added a redirect
in htaccess (per directory, as I want to) to send .html requests to a
php script.

2. In that script I set session.use_trans_sid to 1 (On) and set
url_rewriter.tags to "img=src" (and only that) in case the visitor has
cookies disabled (if cookies are disabled, image request URLs include
the session ID). Then it starts a session, sets a variable, verifies
the request html file is valid, and includes that file (otherwise 404).

If the file containing the images is a Php file, I include the above in
the top of the php file.

3. In the same htaccess file (Step 1.) I redirect all image requests
(where referrer does not begin with my domain) to an image serving
script. When an image is requested, if the session var is set, I
deliver the image, otherwise I do "something else" (many options here,
but ultimately a simple ....
header("HTTP/1.1 404 Not Found"); exit;
..... is all that's needed).

After many trials, and now in this final state, the scripts seem to be
doing the job quite well. It appears that all visitors to my site can
see images (I am monitoring the results).

Here is my question, though. In the case where the visitor has disabled
cookies, my image serving script has to detect the session ID in the
$_GET array, extract it (if it is there) and set the session_id with
that value before I call start_session. The session functions do not
automatically detect it and use it (as I thought it would/should?). I
have to do that in my script. It was my impression that the session
functions would do that automatically with use_trans_sid.

--
*****************************
Chuck Anderson Boulder, CO
*****************************
Jun 16 '07 #9

This discussion thread is closed

Replies have been disabled for this discussion.