php sessions

edspace

I am trying to use sessions for the first time as a way to stop leechers.

I have an album.php file and a play.php file.
The album.php will start a session and register a variable such as
$refer = mypage;

The play.php session will try to check if $refer is registered and if it is equal to "mypage". If $refer is registered in the session then the media file will start playing. If $refer is not registered the user will be redirected to the album.php page.

1) Are there any problems with the way I am approaching this?

2) What is the lifetime of the session if the user has disabled cookies?

I am using transparent SID so they can easily see the session id in the url and bookmark it.

If the cookies are disabled i have no way of knowing if the user has stopped viewing my page and I dont know when to destroy the session.

3) Is SID still valid if transparent SID is enabled?

Thanks for the help.

Ed.

MrAlaska

Native session support does not validate the user, it only maintains state and it is up to you to insure the user is who he says he is. You do this by registering unique environmental variables such as their IP and browser used as session variables, then compare those variables to the ones assigned to the session and see if they are the same. The way you are doing it would still allow 'session hijacking'.

It all depends on your level of concern and what your users have at risk the level of security you want to use. Your users are still vulnerable if they are logging in over an unencrypted wire. SSL is the only way I know of to guard against that.

I manage my own sessions so I am not totally familiar with PHP session details, but I believe the default timeout is something like twenty minutes whether cookies are enabled or not. This is set in the PHP.ini file.

If you want the session in the URL there is no reason to even enable cookie support, just set up the ini to use url-encoding only. However, what good is bookmarking a closed session?

edspace

Thanks for your reply MrAlaska.

I am not trying to validate the user, at least not with any sensitive information. All I am trying to do is link album.php with play.php with some hidden variable such as the users IP, USER_AGENT etc. I originally encoded their ip address to a variable and passed that in the url. This works fine for most people but damn proxy caches gave users old url's that had an old IP embeded in the url.

This is the reason why i am trying to use sessions. If the sesssion is open then i know they came from my page and not from another page leeching my files.

I changed all my links to include a SID. This works fine with or without accepting cookies but i am not sure how many sessions are created with one user becuase transparent SID is also enabled.