Firefox not reading session

[jaymc]

I have made a hotlink protection script where as all .wma files are restricted from being served via .htaccess

I then have a file which is used to serve .wma files via headers and readfile()

So i can play autio on my site like so..

[code]<embed src=music.php?file=song.wma></embed>[/code]

in music.php I have this


[quote]if ($User_Session == "") {die("HAHA");}[/quote]

So basically if they dont have a session, then they cant listen to the audio...

No for somereason, it doesnt work in firefox. Works no problem in IE, but not in firefox.

It works in both without that die() stuff, so obviously FIREFOX is not passing the session to that music.php file when requested via <embed>

Any ideas why

Driving me nuts

[corbin]

Are cookies enabled in FF?

[jaymc]

Yeh

For some reason its not carrying the session when a request is made to a file like so

<embed src=music.php?file=song.wma></embed>

[corbin]

But it works in IE fine?  Hmmm weird... maybe post the link and see if it works for someone else in FF?  You might not wanna post the link though...

[jaymc]

Ive just had 2 friends try it in firefox..

Doesnt work... so seriously an issue their with the sessions

Help?! :(

EDIT : Here is the exact code in music.php



[code]
session_start();
$User_Session = $_SESSION['username'];

if (!isset($User_Session)) {die("HAHA");}

else {

$file = $_GET['file'];
if (strstr($file, "../")) {die("Nice try wise guy!");}

header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Content-Type: audio/x-mpeg");

readfile("../AuDiO/$file");
}[/code]

And again, here is how that page/code is being requested

<embed src=music.php?file=song.wma></embed>

And also again, IE is having no problem with this at all. Firefox apparently doesnt like to be passed session via embed requests or something or other

[kenrbnsn]

Can you post the scripts in question?

Ken

[corbin]

whats settin $_SESSION['username']?

[michaellunsford]

although this probably isn't the issue -- the "embed" tag has been depreciated. Have you tried using the proper <object> tag?

also, if you put up a test url, I don't mind curling it to see what it does.

[jaymc]

Object causes the page to crash a lot, Ive tried both, Embed works the best

I cant put up the URL its all firewalled and I dont have access to that..

[jaymc]

OK, Its 100% Firefox not passing session. I've basically ammended the code to confirm this

<embed src=music.php></embed>

music.php contents:
[code]
if (!isset($User_Session)) {file_put_contents("off.txt", "No Session");}

else {
file_put_contents("off.txt", "Session!");
[/code]

In IE
off.txt = Session!

In Firefox
off.txt = No Session

In Opera = Session!

[michaellunsford]

you [u]could[/u] send music.php the session data via GET...

[code=php:0]echo "<embed src='music.php?sessid=".session_id()."'></embed>";[/code]


then have music.php verify session data that way.

[b]Also,[/b] you might want to post the embed/cookie issue on firefox's bugs forum: http://forums.mozillazine.org

[jaymc]

'sessid'

is that bespoke to php? I think on my server I have the session var set to just 's'

I will certainly try it anyway, if not I'll post on that forum

Thanks for help

[michaellunsford]

you can call it whatever you want to pass it -- on the other end, you'll still need to catch it and start a session using that ID. Theres a use_trans_sid setting you can turn on -- but I don't think it will help with an <embed> -- could be wrong.

[jaymc]

Its not workin

[code]$seshid = session_id();
$retseshid = $_GET['s'];
[/code]

They both equal the same value which is great, however, if i then access the page in an external window the session is still carried, theirfor they can bypass the security

e.g

http://192.168.1.10/site/music.php?song=4113.wma&s=dmfsrib2t30rgsegt1aqcqdi77

Then...
$seshid = dmfsrib2t30rgsegt1aqcqdi77
$retseshid = dmfsrib2t30rgsegt1aqcqdi77

How is session_id() still kept alive in an external IE window

Am I doing something wrong?

[michaellunsford]

have you tried setting the session_id($_GET['sessid']); on the movie end?

[jaymc]

Yes...


[b]$seshid = session_id();
<embed src=music.php?song=song.wma&s=$seshid>[/b]

music.php..

[b]$seshid = session_id();
$retseshid = $_GET['s'];

if ($seshid == $retseshid){FINE} ELSE{NOTFINE}[/b]

IE = FINE
Firefox = FINE

But... if I then copy this into an external browser window

192.168.1.10/music.php?song=song.wma&s=$seshid

Then the music is loaded because their session is for some reason still existing in a totally new browser window. I cant have that, because that then streams the audio and allows them to save

The solution for that would be to some how make the session only valid in the same browser WINDOW it was created in..

[michaellunsford]

no no

music.php:
[code=php:0]session_id($_GET['s']);
session_start();
if (!isset($_SESSION['username'])) {die("HAHA");}
...
[/code]

[jaymc]

Yeh, it does work like that, but, if they then open up a new IE window and copy the link in the address bar its still valid

Thats my problem, I cant allow direct requests...

As it stands its all done within a heavily secure iframe. No right clicks or anything etc..

But with them being able to still have a valid session in a totally new browser window that defeats the whole object of it in the first place..

From What I gathered the session was only adtive in the browser window it waws created in as well as any windows that have been open from that original window

Not a totally new one..

[michaellunsford]

sessions via cookies are active in a browser until the cookie expires or the browser closes (depending on the time stamp you specify). It is possible to spoof a cookie, although passing a session ID via GET is a little easier to do.

A few ideas:
You can add security by putting something verifiable in the session and in GET, and then verifying a match on the other end. Something like a random number you create. The other end would verify that the session variable matches the GET variable, then unset the session variable so it couldn't be used again.

There are some other tricks -- a quick google search on "php session hijacking" will reveal quite a few. This document is quite helpful and relevant: http://phpsec.org/projects/guide/4.html

[jaymc]

Is their anyway to only have the session active within the browser window it was created in...

If not their really is no way around this as they can open the link in a new window and get a direct stream of the file as the session is still active in it..

Any ideas?

[michaellunsford]

The best suggestion I have is to create an "authorized" session variable on the calling page. Then have the music.php page verify that the "authorized" session variable exists and unset it before presenting the content. That way if they try to open the file in another window (same browser or not), it won't give up the file. That should be enough to keep any regular Joe from stripping your audio.

The only way I can think of to break it would be to figure out how to load the html page without loading the embedded content. Then they can open the file in a separate browser window. The mystery and effort required to accomplish this should be a sufficient deterrent, though.

[jaymc]

So create a session in the embed page and then unset it in the music.php after it has been verified to ensure if its requested externally the session will be 'dead'

[jaymc]

I've done that and it worked in firefox and not IE

for some reason when unsetting the session after veryfying it firefox doesnt like it...

[jaymc]

Ive just tried exactly the same method but using COOKIES instead

Again, firefox fails

Really, the only way I can do this is with my original way, due to the nature of the content and the structure...

Firefox fails to read cookies and sessions when a page is accessed via a request from

embed src=music.php

Is this a firefox bug? or is it like that for security reasons etc...

That really is the root of my problem and if I cant get it to work my website simply cannot support firefox...

Anyone have any information on this on as to why firefox cant read a session or cookie when requested like that

[michaellunsford]

I would be very interested to know what feedback you get from the mozillazine forum. be sure to post any results back here.