Page 1 of 1

Problems with sessions

Posted: Fri Feb 23, 2007 1:09 pm
by mjseaden
Hi,

I've created an image validation script in PHP, which generates graphical letters on top of an image using GD2 library. I want to ask the users to type in what's on this image to prevent someone repeatedly trying to guess passwords on my password pages by programming their own browser.

The PHP script, validate.php, sends JPG headers to the browser, and I get the image onto the page in an img tag:

Code: Select all

<img src="validate.php"/>
In my image validator generation script validate.php, I turn on sessions, and I save the random 5 digit code I render to the image to the session 'verify_code'.

Here's the problem. When I try and access the session from the php script in which the <img> tag is placed, it doesn't show up as a recorded index.

Curious, I've checked the directory in which my PHP install is writing session data, and lo and behold, it is using different unique session id's for the validate.php script, and the script in which the image is rendered.

Therefore I can't access the verify code from the script I need to.

Why are the sessions different, and is there any way I make them the same (sounds like something that's difficult, but I've got to ask)?

Many thanks

Posted: Fri Feb 23, 2007 2:14 pm
by Begby
Are you accessing the scripts from the same URL? Like is one http://www.mysite.com/validate.php and the other one http://www.myothersite.com/formscript.php?

Posted: Fri Feb 23, 2007 3:00 pm
by mjseaden
Hi begby,

No, both scripts are on the same server, but PHP is generating different session IDs for both. Both session files are stored on my server's sessions directory (C:\Temp).

I don't know why the script loaded with <img src="script.php"/> produces a different session ID to the script on which the image tag is.

Posted: Fri Feb 23, 2007 9:22 pm
by feyd
If the information from session_get_cookie_params() is different, that would explain it.

Posted: Sat Feb 24, 2007 2:49 am
by mjseaden
Hi feyd,

As I say, I know that the session id's being recorded for each script are different, as they produce different session files in my C:\Temp directory, where all sessions are recorded. Here's an output of the two separate files. I have 'verify_code' being used as a session variable in verify.php, and 'testsession' being used as a session variable in admin.php, which includes an include file called adminbase.inc, which defines a class that produces a login form that includes the verification image.

Code: Select all

verify_code|s:32:"34a8f3b181ca4b9df3e3b477546ac7a5";

Code: Select all

testsession|s:5:"hello";
The verify code has been passed through an MD5 hash.

Is it possible that this is caused by the fact that the login form logic is in a .inc file, and being included in admin.php - is it possible that PHP is allocated different session ids to an include?

Many thanks, would be great to solve this problem.

Posted: Sat Feb 24, 2007 10:25 am
by feyd
mjseaden wrote:Is it possible that this is caused by the fact that the login form logic is in a .inc file, and being included in admin.php - is it possible that PHP is allocated different session ids to an include?
PHP doesn't care what file extension it's processing.

Did you look at the output of session_get_cookie_params() for each of the scripts?

Posted: Sat Feb 24, 2007 10:37 am
by mjseaden
Hi feyd,

I can't run the session parameters function in verify.php, as if it outputs any data, it 'corrupts' the jpeg produced by the verify.php script after being called from the <img...> tag. So in the state its currently in, I can't read any text sent to the browser.

Posted: Sat Feb 24, 2007 10:52 am
by feyd
So disable the jpeg stuff so you can debug it.

Posted: Sun Feb 25, 2007 9:57 am
by mjseaden
Hi feyd,

The reason why disabling the jpeg code doesn't aid matters is that the script is called from an <img> tag, not a link or from entering the script in the address bar. Therefore I can't output text into the image, and simply checking the verify.php script by putting directly into the address bar will not help because that it not the circumstance in which the script is used.

My suspicion is that PHP allocates a different session ID because the script is executed from an IMG tag. I don't believe it's arbitrary, rather like PHP allocating a different session ID if you use <ForceType> on any particular script.

This still isn't resolved, so I'll continue plugging away...

Posted: Sun Feb 25, 2007 10:37 am
by feyd
As long as the URL is the same, it's exactly the same to the browser. So yes, you can output text from the image script.