SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Addict
    Join Date
    Apr 2004
    Location
    Belgian in Mexico
    Posts
    307
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    problem with changing php session and sid in url

    Hi,

    First, let me say I've searched forums (including Sitepoint's) as well as the php manual for hours without finding any complete solution to my problem, and I'm starting to pull my hair off. If you know of any thread that fully answers my questions, please send me the link...

    I have a little getfile.php script I use to avoid others linking to the downloadable files from other sites. In the page where the links are, I use
    PHP Code:
    session_start();
    $_SESSION['file_access'] = "download"
    When I call getfile.php?file=filename, the script checks if $_SESSION['file_access'] exists, and then starts the download. On my test PC (IIS), everything's fine, but on my webserver (shared), there's a weird behavior.
    After a few tests, I can definitely say the following works everytime:
    1. click on the link
    2. a blank page appears but the download doesn't start
    3. go back (or type the address again) to the page with the link AND reload it
    4. click on the link
    5. this time the file is downloaded

    I assumed there was a problem with the session ID and that was confirmed after I echoed the SID, as it changed between the first and second page. I also echoed the $_SESSION['file_access'] and indeed, it was not passed. But WHY does it work after reloading the page (nļ3 above)??? (after that reload, the SID is not echoed anymore (I don't understand why) as if it were empty but the $_SESSION['file_access'] is passed from the link page to gefile.php

    I removed these 2 lines I had used to remove the session ID from the URL:
    PHP Code:
    ini_set("session.use_trans_sid""0");
    ini_set("url_rewriter.tags",""); 
    and then the downloads worked fine (and the SID didn't change anymore), but the SID appears in the URL, once again...

    On my local PC, that SID doesn't appear in the URL, I tested from my webserver with all cookies allowed, so it should be fine, and I changed the only Session config parameter that what different on my webserver via .htaccess, so the configuration matches the one on my local IIS.

    Does anyone know how I can make it work:
    1. with only one click on the download link, as it should be AND
    2. without the SID being displayed in the URL
    ???

    Also, apart from being ugly and less secure, does the SID in the URL is bad for Google indexing?

    Is there anyway to do what I want without using sessions?

    Thanks,

    MichaŽl
    MichaŽl Niessen
    http://assemblysys.com
    (Countries/states/cities with latitude & longitude,
    weathercodes & topical databases)

  2. #2
    SitePoint Wizard
    Join Date
    Aug 2004
    Location
    California
    Posts
    1,672
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Not sure if this will help your specific problem, but I have found that before session start I need to set the cache limiter for IE to handle downloads correctly. Usually something like this:
    PHP Code:
    if (strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE')) {
        
    session_cache_limiter('must-revalidate');
    }
    session_start(); 
    If this in fact helps, you may need to add other headers as well to make things work correctly. Check the online PHP manual under header() and session_cache_limiter() regarding this.
    Christopher

  3. #3
    SitePoint Addict
    Join Date
    Apr 2004
    Location
    Belgian in Mexico
    Posts
    307
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for your reply, but I already have
    PHP Code:
    header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); 
    in the download script, and there's no problem neither in IE nor in Firefox. Well, for the download part.
    What really is my problem is the session id thing.

    I'll still check the php manual for header() and session_cache_limiter(), in case I find something related (especially in the comments).

    MichaŽl
    MichaŽl Niessen
    http://assemblysys.com
    (Countries/states/cities with latitude & longitude,
    weathercodes & topical databases)

  4. #4
    SitePoint Zealot
    Join Date
    Jan 2005
    Posts
    104
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I was reading the sample chapters from PHP Anthology book and one of the sections talked about storing the session ID in a DB. Its a pretty simple process of modifying the php.ini file and creating the table. This way you dont' need cookies and the the session id will not be passed through the url.

  5. #5
    SitePoint Addict
    Join Date
    Apr 2004
    Location
    Belgian in Mexico
    Posts
    307
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the answer. I don't think I could use that method since my website is on a shared host.
    Anyway, I'll take a look at those sample chapters.

    MichaŽl
    MichaŽl Niessen
    http://assemblysys.com
    (Countries/states/cities with latitude & longitude,
    weathercodes & topical databases)

  6. #6
    SitePoint Zealot
    Join Date
    Jan 2005
    Posts
    104
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can also use HTTP_REFERER to check where the user came from. If you want an extra layer of security you can also log their IP on one page and check for it on the dl page.

  7. #7
    SitePoint Addict
    Join Date
    Apr 2004
    Location
    Belgian in Mexico
    Posts
    307
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you very much to those who answered. I've started reading the PHP Anthology sample chapters and I now have been able to do what I wanted.

    MichaŽl
    MichaŽl Niessen
    http://assemblysys.com
    (Countries/states/cities with latitude & longitude,
    weathercodes & topical databases)


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •