Sessions and Header File Output

TOrpheus

Hi All,

I'm trying to write a secure script that will only allow a user to view a file stored in a database if they have access.

To clarify:

I'm storing files in a database.

Only "registered login" users will be able to view/download these files.

So what I'm doing is using the header() function to file stream the data out of the database.

The problem I'm running into is that I make a call to 'session_start()' at the top of the script so that I can make use of the session variables. But then the header() call I make will not operate correctly because teh session_start() has already sent some data.

The following sample code WILL NOT work:

session_start();
header("Content-Type: $fileDataType");
header("Content-Length: $fileSize");
header("Content-Disposition: attachment; filename=$filename");

function_that_ouputs_data();

Any help would help!

Thanks!

tekky

I would assume session_start() would have to be called AFTER header()....
if nothing else, use output buffering, supposedly it will handle output in the propper method regarding header() and other outputs....

pnoeric

Are you sure that's the problem? Seems like I've put session_start() above header() many times without any problems. If I recall my HTTP protocol stuff correctly, session_set does write out info but it's header info, which means it shouldn't affect other header() stuff you put out there.

Try writing a two-line test script to do session_start() then header() (maybe header("Location: http://www.yahoo.com")😉 --if it works, you know the problem isn't session_start() being above header()

best
Eric()

TOrpheus

Hi there,

The problem is that when I add the session_start(); call, the file doesn't ouput properly (I mean NOT at all).

It appears as though mixing the session_start() header details that are sent when it's called is INTERFERING with the header() calls I make explicity.

Thanks for the help!

pnoeric

Oh, gotcha. Sounds like a browser bug... but seems like I've gotten around this before... hang on... no, I just found a piece of code that does exactly that-- session_start(), then some database work, then header() with a content-type and finally echoing data out (in this case, graphic data, to display JPGs on the fly for approved users only). Keep playing with your code?

TOrpheus

Hi Pnoeric,

Are you saying you have a fix? Can you show me your sample code.

Thanks!

pnoeric

sure, here 'tis. the very first thing in common.inc.php is session_start(). this is a variation on the code I mentioned, doens't use the db.

<?php

// fetch picture from db - p = pid; s = set id; optional t = thumb to show thumb

include('common.inc.php');		// this calls session_start()

include('thumbsys.inc.php');
$t = new ImgSystem;
$t->setDb($gDB);

$pid = $_GET['p'];
$sid = $_GET['s'];
$type = $_GET['t'];

$f = 'eps_images'._delim.'protected.jpg';			// default image, if security checks fail


if($pid && $sid) {
	// now we have picture ID and section ID
	// before we fetch the image, check to see if the user has access to get it

// first check to see if they have access to this SET (no need to check section)
$gp = $sess->get_gid();
if ($t->checkSetAccess($gp, $sid)) {
	$th = 0; if (substr($type,0,1) == 't') $th = 1;		// display thumb?

	$src = $t->getImagePaths($pid, $sid);		// get disk paths to image
	$f = $src[$th];								// use right path (big img or thumb)
}
}

if ($_REQUEST['debug']) {
	$m = pathinfo($f);
	echo '<hr><code>'.$m['basename'].'</code>';
} else {
	header("Content-type: image/jpeg");				// get ready to output image
	@readfile($f);
}

?>

TOrpheus

Hi there,

Thanks for the sample code...

So my code is pretty much the same... but it doesn't work... 😉 Any idea why?

pnoeric

Good question ;-) Try "jiggling the handle"-- i.e. move things around, rename the session, change the header info, try a different browser... all those might help you home in on a solution. Sorry I can't be more help.