0

This is my index.php:

<?php

 require_once('includes/settings.php');
 require_once('includes/functions/images.php');

 $_SESSION['userisonpage'] = true;

In the Settings-file there is the session_start and a few things like the database Connection:

<?php

 error_reporting(0);

// ini_set('session.gc_maxlifetime', 180);

 session_start();

Now I have an image.php that receives a GET-Parameter after a specific rewrite rule.

RewriteRule ^images/items/(.+)$ /index.php?image=$1 [L,QSA]

So far so good. The image.php checks then if there was set the $_SESSION['userisonpage']-sessionvariable before loading the image. I dont know why, but the result is always false and shows the "hotlink.jpg"-file - even if the image is loaded within the webpage.

<?php

 if(isset($_GET['image'])){

  $path = '/data/web/123456/html/abc/images/';
  $file = trim($_GET['image']);

  if(file_exists($path.'items/'.$file)){

   if($_SESSION['userisonpage'] === true){

    echo file_get_contents($path.'items/'.$file);

   }else{

    echo file_get_contents($path.'hotlink.jpg');

   }

  }else{

   header('location: https://abc.de/');

  }

  die;

 }

?>

EDIT #1

Ok, I found out that when I call the image with the URL

http://abc.de/images/items/test.jpg

the Session ID always is another one while when I call the same image with the URL

http://abc.de/?image=test.jpg

the Session ID stays the same.

So it seems to be a problem between Sessions and Mod Rewrite.

Edit #2:

I now found out that when I call the image with this URL

http://abc.de/images/items/test.php // <-- !!! PHP-extension !!!

and replace the .php in the get-parameter with .jpg

 if(isset($_GET['image'])){

  $path = '/data/web/123456/html/abc/images/';
  $file = trim($_GET['image']);
  $file = str_replace('.php', '.jpg', $file); // <-- replace the extension

  if(file_exists($path.'items/'.$file)){

it also loads the session variable and the image as it should.

Bernhard
  • 1,852
  • 11
  • 19
  • Did you check the value of `$_SESSTION` at the top of `includes/functions/images.php`? – Van Tho Jan 14 '19 at 07:16
  • yes but it is always empty when the image rewrite is done. but it should be set, because session_start() is called. – Bernhard Jan 14 '19 at 07:17
  • How about adding `if (!isset($_SESSION) { session_start() })` at the top of `includes/functions/images.php` (just to make sure that session is started), Maybe changing `include_once` to `include` will solve the problem... – Van Tho Jan 14 '19 at 07:25
  • This does not Change anything. BUT now i found out: When I load an image without rewriting the URL, the image loads like it should. http://abc.de/?image=test.jpg gets loaded while http://abc.de/images/items/test.jpg does not load. – Bernhard Jan 14 '19 at 07:40
  • I updated my posting. – Bernhard Jan 14 '19 at 08:04
  • That would be weird. Sessions are shared across a domain. If both sites run on abc.de, the cookie should be shared, except if in your PHP settings it is defined otherwise. Are you sure that both files contain a `session_start()` as soon as possible? And that both sites are on the same domain? – minitauros Jan 14 '19 at 08:32
  • That is what I thought too. As you see in the code shown above, there is always first included the settings.php which contains the session_start(). So I would say it is as soon as possible. In the hosting-settings I also configured the domain in a way that it redirects any requests that includes "www" to the domain without "www". I do not use any subdomains with this domain. So I think there is no confusion with a domainname. – Bernhard Jan 14 '19 at 08:46
  • https://stackoverflow.com/questions/6200612/session-variables-are-not-persisting-between-page-loads/7142449#7142449 – Bernhard Jan 14 '19 at 08:49
  • Out of curiosity, are you aware of what `error_reporting(0);` does? – Álvaro González Jan 14 '19 at 08:51
  • Of course. E_ALL Returns an "undefined variable" ($_SESSION['userisonpage']) when I load the page with mod_rewrite. But thats clear, because it looses the session. – Bernhard Jan 14 '19 at 08:52
  • Is the session cookie set with the correct domain and path parameters? Are these the same in both cases (for the Set-Cookie header that your browser should receive with the initial request for the page, and for the one with the new session id that should come in the response of that particular image resource request)? – misorude Jan 14 '19 at 09:26
  • The session is always set in the settings.php with the same parameters (no special parameters set). I already played around with session_save_path but this does not change anything. – Bernhard Jan 14 '19 at 10:34
  • I think it could be possible that there is a misinterpretion in the file-type due to the .jpg-extension. – Bernhard Jan 14 '19 at 13:02
  • I now tried to load the image with the extension .php. Then I changed the extension when I read the get-Parameter in my script to jpg and it worked (see Edit #2) – Bernhard Jan 14 '19 at 13:39

1 Answers1

0

Partial solution

You need to add the full URL in the rewriterule:

RewriteRule ^images/items/(.+)$ https://abc.de/index.php?image=$1 [L]

The script will then recognize the session-variable. You can also put the "beautiful" (unrewritten) path to the image inside of the img-src-Attribute.

https://abc.de/images/items/test.jpg

BUT: If you open the image in a new tab (the image alone) it will display the "ugly" (rewritten) path

https://abc.de/index.php?image=test.jpg
Bernhard
  • 1,852
  • 11
  • 19