Verification using sessions

Helios

I have downloads on my site and, for legal reasons, I need proof that the person viewing the download page has read a disclaimer. Therefor, I need some way of passing the proof along. I tried verification using their IP, as in MD5ing their IP and passing it along through the URL but that method required a lot of rewriting of complicated code, because much of the listing of files is done through $_SERVER['QUERY_STRING'] of one file instead of several. My next thought was to use a cookie, but cookies do not necessarily work on all browsers. So (although this is not urgent) I need an alternative method.

What I need is some code that can be included to the top of any page that says:

If $SESSION['safe'] = 1, then allow the person to view the page. If $SESSION['safe'] = 0, then forward them to google.com.

I can work with just about anything, please help!

lobo235

Sounds like you've got quite a problem. Sessions in PHP (In my experience at least) are cookie based or query string based. Cookies are probably the best route in your situation because you work a lot with the Query String. I would recommend using PHP's built in session function with Cookies eventhough some (older) browsers don't do the cookie thing. If their browser doesn't support cookies you may be able to do something with their IP like you have previously done.

trooper

OK what you need to do is set up the server to only create session cookies on the server

ini_set("session.use_only_cookies","0");

That line will tell the server to not only use session cookies - instead the session id will be appended to the url (if the browser rejects session cookies). This allows for those browsers that do accept them to receive a session cookie.

So on the page with the disclaimer you need to get them to do something like check a checkbox then when they press submit check (probably via another page) to see if the checkbox was checked.

If it was then start a session.

e.g

session_start();
$_SESSION['read_disclaimer'] = 'true';

On the download page do a check to see if there is a valid session, if there is then fine otherwise redirect them outa there.

session_start();
if($_SESSION['read_disclaimer'])
{
    show the downloads
}else{
    redirect to somewhere else
}

Obviously i have made the session names / value very simplistic but its just to give you the idea of how to deal with it

HTH

Helios

Wow I can't believe how simple that was. Thank you very much!

Helios

One more question though: these sessions work with multiple users? Like if one person has a session that is called 'read_disclaimer', then other people can use the same one without me having to name any SIDs?

scoppc

session ID will be automatically created for new user if the session doesnt exist. So, it will absolutely work with all users. 🙂