Page 1 of 1
PHP session + gd lib image
Posted: Fri Aug 28, 2009 1:33 pm
by sousousou
The situation is as follows. I have a form in which I use a gdlib generated picture with a random string in it. This random string is a session variable. It works quite good, except the first time I visit the form. The picture has no text in it, but the print_r does. After a refresh everything works just fine. The form beneath is included in the index when someone clicks on the navigation link for this form.
The form code (part of it):
Code: Select all
session_start();
require ("php/XXX/secFunctions.php");
$_SESSION['sessionString'] = randomString(5);
<form action="<? echo $_SERVER["PHP_SELF"]; ?>?id=gbadd" method="POST">
<img width="150" height="100" border="0" src="image.php?random='.microtime(true).'" alt=”secImage”> <br />
<input size="50" maxlength="60" type="text" name="sec"><br />
<?php echo "session:"; Print_r ($_SESSION); ?>
</form>
image.php:
Code: Select all
session_start();
require ("php/XXX/secFunctions.php");
createSecImage(150, 100, 100, $_SESSION['sessionString']);
secFunctions contains the functions 'randomString($length)' and 'createSecImage($width, $height, $percentage, $text)'
The index file starts with a session_start(); as well. I don't know what the problem might be, although i've searched several sites. The first solution was ?random='.microtime(true). and then it worked, but after I renamed the image.php file to image.php (instead of test.php) it didn't work anymore

(and I replaced al path- and filenames correctly).
Sorry if the english isn't as good as it should be. It's not my first language. I hope I can make myself clear with this muttering

Re: PHP session + gd lib image
Posted: Fri Aug 28, 2009 2:01 pm
by Darhazer
What shows print_r($_SESSION) in the image.php?
Does session_write_close() before outputing the form resolve the problem?
Also, in the image.php send cache-control headers to disallow caching of the image
Re: PHP session + gd lib image
Posted: Fri Aug 28, 2009 2:10 pm
by sousousou
Darhazer wrote:What shows print_r($_SESSION) in the image.php?
Does session_write_close() before outputing the form resolve the problem?
Also, in the image.php send cache-control headers to disallow caching of the image
I don't know exactly what you mean with "What shows print_r($_SESSION) in the image.php?" But I putted the print_r in the code to check what happens, it should have the same value as the text in the picture (so i can match the strings to see if the person was able to read the text from the image).
I'll try session_write_close(), but I'm not advanced enough to understand what you mean with cache-control headers ... sorry

Re: PHP session + gd lib image
Posted: Fri Aug 28, 2009 2:16 pm
by Darhazer
Code: Select all
header( "Expires: Mon, 20 Dec 1998 01:00:00 GMT" );
header( "Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" );
header( "Cache-Control: no-cache, must-revalidate" );
header( "Pragma: no-cache" );
Re: PHP session + gd lib image
Posted: Fri Aug 28, 2009 3:47 pm
by sousousou
Darhazer wrote:Code: Select all
header( "Expires: Mon, 20 Dec 1998 01:00:00 GMT" );
header( "Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" );
header( "Cache-Control: no-cache, must-revalidate" );
header( "Pragma: no-cache" );
This alone doesn't do the trick. Now I'm looking where to put my session_write_close();
Cause I have this kind of output handler:
Code: Select all
if(!IsSet($_POST['stage']))
{
?>
<form action="<? echo $_SERVER["PHP_SELF"]; ?>?id=gbadd" method="POST">
<img width="150" height="100" border="0" src="image.php?random='.microtime(true).'" alt=”secImage”> <br />
<input size="50" maxlength="60" type="text" name="sec"><br />
<?php echo "session:"; Print_r ($_SESSION); ?>
<input type="hidden" name="ipaddress" value="<? echo $_SERVER["REMOTE_ADDR"]; ?>">
<input type="hidden" name="stage" value=1>
</form>
<?
} else {
Should it be after the else?
Re: PHP session + gd lib image
Posted: Fri Aug 28, 2009 4:46 pm
by Darhazer
Before it... or you can put it right after the last $_SESSION assignment.
Re: PHP session + gd lib image
Posted: Fri Aug 28, 2009 5:22 pm
by sousousou
The code is now:
form:
Code: Select all
session_start();
require ("php/XXX/secFunctions.php");
$_SESSION['sessionString'] = randomString(5);
session_write_close();
if(!IsSet($_POST['stage']))
{
?>
<form action="<? echo $_SERVER["PHP_SELF"]; ?>?id=gbadd" method="POST">
.
<img width="150" height="100" border="0" src="image.php?random='.microtime(true).'" alt=”secImage”> <br />
<input size="50" maxlength="60" type="text" name="sec"><br />
<?php echo "session:"; Print_r ($_SESSION); ?>
<input type="hidden" name="stage" value=1>
</form>
<?php
} else {
image.php
Code: Select all
header( "Content-Type: image/png");
header( "Expires: Mon, 20 Dec 1998 01:00:00 GMT" );
header( "Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" );
header( "Cache-Control: no-cache, must-revalidate" );
header( "Pragma: no-cache" );
session_start();
require ("php/XXX/secFunctions.php");
createSecImage(150, 100, 100, $_SESSION['sessionString']);
But still the first time I visit the page, there's no text in the image, only with print_r
Re: PHP session + gd lib image
Posted: Fri Aug 28, 2009 8:35 pm
by joeynovak
That's a tough problem, I would put some logging code in the image.php script that writes the session value out to a file. That way you have simplified the problem and you KNOW without a doubt it's a session problem and not an image problem. Then, try putting a small sleep in the image.php but BEFORE the session_start(); That might fix it...
Joey
Re: PHP session + gd lib image
Posted: Sat Aug 29, 2009 8:58 am
by sousousou
My image.php now looks like this:
Code: Select all
header( "Content-Type: image/png");
header( "Expires: Mon, 20 Dec 1998 01:00:00 GMT" );
header( "Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" );
header( "Cache-Control: no-cache, must-revalidate" );
header( "Pragma: no-cache" );
session_start();
require ("gbsecurity/secFunctions.php");
$fp = fopen("log.txt", "a");
fwrite($fp, $_SESSION['sessionString']);
fwrite($fp, "\n");
fclose($fp);
createSecImage(150, 100, 100, $_SESSION['sessionString']);
log.txt looks like this:
So the first time $_SESSION['sessionString'] is unknown.
Re: PHP session + gd lib image
Posted: Sat Aug 29, 2009 10:30 am
by Darhazer
I think that the problem is the following:
First time user visits the page, it sends it a cookie...
But the browser sends the cookie back only on the next visit
This is why you are loosing the session
I really don't know why the browser does not send the cookie back for the image, as it's a separate HTTP request, but it's seems that this is the case
You can log the $_COOKIE variable to check that it's empty
Anyway, if you move the $_SESSION['sessionString'] = randomString(5); in image.php, it should resolve the problem.
Re: PHP session + gd lib image
Posted: Mon Aug 31, 2009 6:40 am
by sousousou
Darhazer wrote:I think that the problem is the following:
First time user visits the page, it sends it a cookie...
But the browser sends the cookie back only on the next visit
This is why you are loosing the session
I really don't know why the browser does not send the cookie back for the image, as it's a separate HTTP request, but it's seems that this is the case
You can log the $_COOKIE variable to check that it's empty
Anyway, if you move the $_SESSION['sessionString'] = randomString(5); in image.php, it should resolve the problem.
I've moved $_SESSION['sessionString'] = randomString(5); to the image.php. What happens is that the first time the image has the randomstring text, but the print_r does not. After a refresh the image has a new text and the print_r has the text the image had before the refresh.
And with this image.php code:
Code: Select all
header( "Content-Type: image/png");
header( "Expires: Mon, 20 Dec 1998 01:00:00 GMT" );
header( "Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" );
header( "Cache-Control: no-cache, must-revalidate" );
header( "Pragma: no-cache" );
session_start();
require ("gbsecurity/secFunctions.php");
$fp = fopen("log.txt", "a");
fwrite($fp, $_SESSION['sessionString']);
fwrite($fp, "- cookie:");
fwrite($fp, $_COOKIE);
fwrite($fp, "\n");
fclose($fp);
createSecImage(150, 100, 100, $_SESSION['sessionString']);
The log file returned the following:
Code: Select all
- cookie:Array
Px5XK- cookie:Array
lqJVN- cookie:Array
VZUY3- cookie:Array
I also noticed that when I submitted the form and went back (because of wrong input) with the history button, that the sessionString of the image changed, but the print_r still had the old value.
Re: PHP session + gd lib image
Posted: Tue Sep 01, 2009 5:48 am
by sousousou
A little kicker. This problem isn't solved for a week now
Should I just use another method to compare an image in a text with the user input? If so, which? Cause I could only come up with this (my first time doing something in security functions).
Re: PHP session + gd lib image
Posted: Wed Sep 02, 2009 5:44 am
by sousousou
putting session_start() on line 1, above the headers doesn't have an effect as well

Re: PHP session + gd lib image
Posted: Fri Sep 04, 2009 7:58 am
by sousousou
Darhazer wrote:
Anyway, if you move the $_SESSION['sessionString'] = randomString(5); in image.php, it should resolve the problem.
After some other tries, this solved the problem. At first the print_r wasn't the same as the text in the image. This doesn't matter cause when I check if the input is the same as the text in the image the form script is run for the second time and the value of the image is set.
The new question is if my version of this kind of security is safe enough?