$_SESSION not being updated when .html page is parsed as html - Challenge :)

[leevigraham]

Hey guys,

 

I have a tricky one here.

 

I have two pages with exactly the same code on them.

 

Page 1 is a .php page http://www.kellisells.com/listings/homes.php

Page 2 is a .html page http://www.kellisells.com/listings/homes2.html

 

The html page is being parsed as a .php page using:

 

AddType application/x-httpd-php .html .cgi

 

My issue is that the .html page is not updating or correctly showing the $_SESSION variable.

 

The code for each page is:

 

<?php session_start(); ?>

<img src="../includes/CaptchaSecurityImages.php?width=100&height=40&characters=5" /><br />

<?php print_r($_SESSION); ?>

 

The ../includes/CaptchaSecurityImages.php?width=100&height=40&characters=5 creates a captcha image and saves the value to the session which is outputted below.

 

Does anyone know why the $_SESSION is not being updated correctly?

 

 

[haku]

Have you got session_start() in CaptchaSecurityImages.php?

[leevigraham]

yeah the session is working fine on the php page.

 

I have updated the code and both pages have the same session_id.

 

[leevigraham]

Heres the captcha file

<?php
session_start();

class CaptchaSecurityImages {

var $font = 'monofont.ttf';

function generateCode($characters) {
	/* list all possible characters, similar looking characters and vowels have been removed */
	$possible = '23456789bcdfghjkmnpqrstvwxyz';
	$code = '';
	$i = 0;
	while ($i < $characters) { 
		$code .= substr($possible, mt_rand(0, strlen($possible)-1), 1);
		$i++;
	}
	return $code;
}

function CaptchaSecurityImages($width='120',$height='40',$characters='6') {
	$code = $this->generateCode($characters);
	/* font size will be 75% of the image height */
	$font_size = $height * 0.75;
	$image = @imagecreate($width, $height) or die('Cannot initialize new GD image stream');
	/* set the colours */
	$background_color = imagecolorallocate($image, 255, 255, 255);
	$text_color = imagecolorallocate($image, 20, 40, 100);
	$noise_color = imagecolorallocate($image, 100, 120, 180);
	/* generate random dots in background */
	for( $i=0; $i<($width*$height)/3; $i++ ) {
		imagefilledellipse($image, mt_rand(0,$width), mt_rand(0,$height), 1, 1, $noise_color);
	}
	/* generate random lines in background */
	for( $i=0; $i<($width*$height)/150; $i++ ) {
		imageline($image, mt_rand(0,$width), mt_rand(0,$height), mt_rand(0,$width), mt_rand(0,$height), $noise_color);
	}
	/* create textbox and add text */
	$textbox = imagettfbbox($font_size, 0, $this->font, $code) or die('Error in imagettfbbox function');
	$x = ($width - $textbox[4])/2;
	$y = ($height - $textbox[5])/2;
	imagettftext($image, $font_size, 0, $x, $y, $text_color, $this->font , $code) or die('Error in imagettftext function');
	/* output captcha image to browser */
	header('Content-Type: image/jpeg');
	imagejpeg($image);
	imagedestroy($image);
	$_SESSION['security_code'] = $code;
}

}

$width = isset($_GET['width']) ? $_GET['width'] : '120';
$height = isset($_GET['height']) ? $_GET['height'] : '40';
$characters = isset($_GET['characters']) && $_GET['characters'] > 1 ? $_GET['characters'] : '6';

$captcha = new CaptchaSecurityImages($width,$height,$characters);

?>

[legohead6]

you cannot pull php on a html page...

[cooldude832]

is it not working period (meaning session are empty) or is it displaying a 1 page stagnet session value?

 

You can always set a session after headers are sent, but the data isn't in the superglobal until the page is reloaded.

 

you cannot pull php on a html page...

 

 

Read their .htacess mod its legit to do this

[leevigraham]

Here is the code on both the php and html page.

 

Examples of the pages working are in the first post

 

<?php session_start(); ?>
<?php echo("The session id is: ". session_id() . "<br />"); ?>
<img src="../includes/CaptchaSecurityImages.php?width=100&height=40&characters=5" /><br />
<?php print_r($_SESSION); ?>

 

 

[leevigraham]

Oh and my htaccess does have:

 

AddType application/x-httpd-php .html .cgi

 

and my tests show that .html is being parsed as .php

[cooldude832]

is it one refresh old?  if it is then the issue is that you are sending headers somehow before the session value is sent, thus it isn't updated until a refresh.  There is no way around this unless you do some fancy javascript to get the session data via AJAX or somehow supress the  header sending until that session is sent

[leevigraham]

To test that sessions are being set I have updated the source of both pages:

 

PHP page:

 

<?php session_start(); ?>
<?php $_SESSION['php_session_test'] = 'OK' ; ?>
<?php echo("The session id is: ". session_id() . "<br />"); ?>
<img src="../includes/CaptchaSecurityImages.php?width=100&height=40&characters=5" /><br />
<?php print_r($_SESSION); ?>

 

HTML page:

 

<?php session_start(); ?>
<?php $_SESSION['html_session_test'] = 'OK' ; ?>
<?php echo("The session id is: ". session_id() . "<br />"); ?>
<img src="../includes/CaptchaSecurityImages.php?width=100&height=40&characters=5" /><br />
<?php print_r($_SESSION); ?>

 

[cooldude832]

and their respective output (include the captcha the image states)

[leevigraham]

is it one refresh old?  if it is then the issue is that you are sending headers somehow before the session value is sent, thus it isn't updated until a refresh.  There is no way around this unless you do some fancy javascript to get the session data via AJAX or somehow supress the  header sending until that session is sent

 

The reason why the php page is one refresh old is because the script creating the image is called after the initial script has been run. This doesn't seem to be an issue.

 

I'm more concerened that the .html page is not accessing the saved $_SESSION.