PHP readfile images and cookie creation....
Posted: Wed May 30, 2007 12:24 am
So I created a script to send images to a person, but before it does, it creates a tracking cookie, then sends it via the setcookie etc, all that works fine and dandy, if and only if I go directly to the image url
E.G.
(edit)
I titled it with readfile, so I should I suppose elaborate
psuedo(ish)code
(/edit)
the code executes and sends back a cookie to the url requester.
what I'm having problems with is if that image is in an IMG tag it will not send the cookeis, is this normal behavior, and where perhaps would be some documentation on the reasons why, I kinda figured it was a security or privacy issue.
But the next thing I can't understand is that the client agent WILL provide previously set cookies to the script, so logging of the uniqid is still valid.
I'm using this in a cross site situation, but Its fair to guess it will not set the cookies if brand Z is in fact the same host.
So once more.
If new user X visits the site and gets the cookie, and then at website brand Z sends him a hotlinked IMG I get the previously set cookie and can log the traffic as X
If new user Y visits website brand Z which sends him the hotlinked IMG - the cookie is not sent, I end up creating a new id butI cannot set one for him. and traffic is still logged under the new id (which gets created each time there is no id present)
E.G.
(edit)
I titled it with readfile, so I should I suppose elaborate
psuedo(ish)code
Code: Select all
$uniqid = $_COOKIE['tracking'];
if (!ValidUserInput($uniqid)) {
unset($uniqid);
}
if (!isset($uniqid)) {
$uniqid = CreateGUID();
}
setcookie('tracking', $uniqid);
header('content-type: image/jpeg');
readfile('test.jpg');Code: Select all
http://notmysite.com/picture.php&image=test.jpgwhat I'm having problems with is if that image is in an IMG tag it will not send the cookeis, is this normal behavior, and where perhaps would be some documentation on the reasons why, I kinda figured it was a security or privacy issue.
But the next thing I can't understand is that the client agent WILL provide previously set cookies to the script, so logging of the uniqid is still valid.
I'm using this in a cross site situation, but Its fair to guess it will not set the cookies if brand Z is in fact the same host.
So once more.
If new user X visits the site and gets the cookie, and then at website brand Z sends him a hotlinked IMG I get the previously set cookie and can log the traffic as X
If new user Y visits website brand Z which sends him the hotlinked IMG - the cookie is not sent, I end up creating a new id butI cannot set one for him. and traffic is still logged under the new id (which gets created each time there is no id present)