Is it possible to save a cookie on a user computer when he loads an image from my server?
So let's say my image url is: http://www.site.com/image.jpg
If he loads just that jpg, can I save a cookie on his machine?
Thanks,
You will have to serve the image through a PHP script if you want to use PHP for this. This may be done by rewriting the request to go to a PHP file, and then use readfile in that script.
Another solution is to set the cookie directly in your web server. How you do that depends on the web server you are using. This is how you do it in Nginx:
location /image.jpg {
add_header Set-Cookie "cookiename=value";
}
And for Apache:
<FilesMatch "^image\.jpg$">
Header set Set-Cookie: "cookiename=value"
</FilesMatch>
If you are using Apache 2.0.40 (or later) then you can try adding the following code in .htaccess file:
RewriteEngine On
RewriteBase /
RewriteRule ^image\.jpg$ - [co=YourCookieName:YourCookieValue:YourCookieDomain]
More info here
Related
if I have /faq.php on the server it can also be accessed via /faq.php/nonexistant.gif why? I have made sure MultiViews are disabled. Why does the contents of /faq.php get shown when I access the URI /faq.php/randomstuff.gif? FYI, I have no htaccess file in the same directory.
/nonexistant.gif will be HTTP "PATH_INFO": http://www.ietf.org/rfc/rfc3875, section 4.1.5
Basically, the webserver will scan "down" a url until it hits an actual file. Anything after that file in the url becomes PATH_INFO.
http://example.com/some/path/leading/to/realfile.php/extra/stuff/that/becomes/path/info
^^^^^^^^^^^^^^^^^^^^--- real directories
^^^^^^^^^^^^--actual file, scanning stops here
^^-----onwards = path_info
That is called path_info. You can disable it using AcceptPathInfo Off in the apache config. People generally use it as a fake mod rewrite when mod rewrite is not availalble.
http://httpd.apache.org/docs/2.2/mod/core.html#acceptpathinfo
I have some existing PHP code on my server. Now I want log-in complete information about requests that come to my server. I don't want to make any changes to existing code. I am using apache mod_rewrite for this. I have a sample php script,stats.php which looks something like this
<?php
/*NOTE:This is peseudo code!!!*/
open database connection
add serverinfo, referer info, script_name, arguments info to database
change characters in request from UTF16 to UTF 8.
//Call header function for redirection
$str = Location : $_SERVER["REQUEST_URI"]
header ("$str");
?>
In httpd.conf file
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !/stats\.php
RewriteCond %{REQUEST_URI} !\/favicon\.php
RewriteRule ^/(.*)$ /stats.php?$1 [L]
RewriteLog "logs/error_log"
RewriteLogLevel 3
</IfModule>
The problem is, I am afraid this may not be best from SEO perspective and also may be buggy. Are there any better ways to do this? For example, can I use a script to the access_log file?
Say for example, if you go to http://your-domain.com/some-page.html, you'll get a loop:
Browser contacts server with request URI /some-page.html
mod_rewrite rewrites the URI to /stats.php?some-page.html
The stats.php does its thing, then redirects the browser to /some-page.html
Browser contacts server with request URI /some-page.html
repeat starting at #2
What you need to do instead of responding with the Location: header is read the contents of the some-page.html file and return that to the browser, essentially "proxying" the request for the browser. The browser therefore doesn't get redirected.
As for how to do that in php, there's plenty of google results or even plenty of answers on Stack Overflow.
I figured what I should do. I did the following
1) Add a custom logformat to httpd.conf file.
2) Added a customLog dirctive. Piped the output to stats.php.
3) stats.php takes care of adding the code to database.
There are some scripts that I use only via ajax and I do not want the user to run these scripts directly from the browser. I use jQuery for making all ajax calls and I keep all of my ajax files in a folder named ajax.
So, I was hoping to create an htaccess file which checks for ajax request (HTTP_X_REQUESTED_WITH) and deny all other requests in that folder. (I know that http header can be faked but I can not think of a better solution). I tried this:
ReWriteCond %{HTTP_X_REQUESTED_WITH} ^$
ReWriteCond %{SERVER_URL} ^/ajax/.php$
ReWriteRule ^.*$ -
[F]
But, it is not working. What I am doing wrong? Is there any other way to achieve similar results. (I do not want to check for the header in every script).
The Bad: Apache :-(
X-Requested-With in not a standard HTTP Header.
You can't read it in apache at all (neither by
ReWriteCond %{HTTP_X_REQUESTED_WITH}
nor by
%{HTTP:X-Requested-With}), so its impossible to check it in .htaccess or same place. :-(
The Ugly: Script :-(
Its just accessible in the script (eg. php), but you said you don't want to include a php file in all of your scripts because of number of files.
The Good: auto_prepend_file :-)
But ... there's a simple trick to solve it :-)
auto_prepend_file specifies the name of a file that is automatically parsed before the main file. You can use it to include a "checker" script automatically.
So create a .htaccess in ajax folder
php_value auto_prepend_file check.php
and create check.php as you want:
<?
if( !#$_SERVER["HTTP_X_REQUESTED_WITH"] ){
header('HTTP/1.1 403 Forbidden');
exit;
}
?>
You can customize it as you want.
I'm assuming you have all your AJAX scripts in a directory ajax, because you refer to ^/ajax/.php$ in your non-working example.
In this folder /ajax/ place a .htaccess file with this content:
SetEnvIfNoCase X-Requested-With XMLHttpRequest ajax
Order Deny,Allow
Deny from all
Allow from env=ajax
What this does is deny any request without the XMLHttpRequest header.
There are only a few predefined HTTP_* variables mapping to HTTP headers that you can use in a RewriteCond. For any other HTTP headers, you need to use a %{HTTP:header} variable.
Just change
ReWriteCond %{HTTP_X_REQUESTED_WITH} ^$
To:
ReWriteCond %{HTTP:X-Requested-With} ^$
Just check for if($_SERVER['HTTP_X_REQUESTED_WITH']=='XMLHttpRequest'){ at the beginning of the document, if it's not set, then don't return anything.
edit
Here's why: http://github.com/jquery/jquery/blob/master/src/ajax.js#L370
edit 2
My bad, just read through your post again. You can alternatively make a folder inaccessible to the web and then just have a standard ajax.php file that has include('./private/scripts.php') as your server will still be able to access it, but no one will be able to view from their browser.
An alternative to using .htaccess is to use the $_SERVER['HTTP_REFERER'] variable to test that the script is being accessed from your page, rather than from another site, etc.
Is it possible to redirect an image to a dynamically generated image(using PHP)?
I have a dynamically created image and it has an extension ".PHP" (obviously) and that server is not under my control. So I want to redirect "somename.jpg" (on my server) to "remoteserver/dynamicimage.php" (on some remote server not under my control) so that I can right away link it as <img src="somename.jpg"/> and the dynamically generated image is shown.
Please let me know if this is possible.
Browsers follows redirects for images. Create a php-file called "somename.jpg" and add:
<?php
header('Location: http://www.otherserver.com/image.php');
Use the Apache directive ForceType in an .htaccess file to tell the server to process the .jpg file as php:
<Files somename.jpg>
ForceType application/x-httpd-php
</Files>
Or just call the file somename.php if you don't really need the .jpg extension.
You could probably accomplish this using mod_alias as well, although I haven't tried it:
Redirect somename.jpg http://www.otherserver.com/image.php
This would go in an .htaccess file as well.
The header function controls the HTTP header, which is what the browser uses to determine the file type (or should, in any case.) It can be used to tell the browser that the script is generating an image file to be downloaded, rather than HTML script output:
header('Content-type: image/jpeg');
header('Content-Disposition: attachment; filename="somename.jpg"');
Try adding something like this to your .htaccess file
RewriteEngine on
RewriteRule ^(.*)\.jpg$ /scripts/$1.php
It is possible but would result in an HTTP redirect:
RewriteEngine on
RewriteRule ^somename\.jpg$ http://remoteserver/dynamicimage.php [L]
An alternative would be to use a proxy (see P flag), so that your server requests the remote resource and passes it back to the client.
Another much more complicated but incredible powerfull way would be to write some handler code which gets activated for this local image location url.
This one would fetch the data from the foreign url and outputs the data with the right mime type.
One you also write some code to cache this data basing on whatever may be feasible.
This way you would never give away the real location of the image and you could even use some secret credentials like logindata or third party cookies which should not appear on your site.
All of this is much harder to do then to simply configure a redirection in the apache config. We did stuff like this in cases where the url's would leak private informations otherwise.
My PHP app uses 404 Documents to generate HTML files so that multiple queries to the same HTML file only cause the generation to run once.
I'd like to intercept requests to the HTML files so that the user needs to have an established PHP Session in order to pull up the files.
In the best case, SESSION ID would be used in the URL and force it could be used as a further authentication. For example, logging in would issue you a SessionID and make only certain HTML files accessible to you.
I'm aware that by changing my cookies I could spoof a request, but that's fine.
How would I go about doing this?
Something like this could work (I haven't tested it):
RewriteCond %{HTTP_COOKIE} PHPSESSID=([a-zA-Z0-9]+)
RewriteCond %{REQUEST_FILENAME} %{REQUEST_FILENAME}-%1.html
RewriteRule ^ %{REQUEST_FILENAME}-%1.html
It assumes that you append "-$session_id.html" to filenames ($session_id is PHP's session ID).
It should be safe, and the benefit is that files are served by the web server directly without invoking PHP at all.
SetEnvIf HTTP_COOKIE "PHPSESSID" let_me_in
<Directory /www/static/htmls>
Order Deny,Allow
Deny from all
Allow from env=let_me_in
</Directory>
Of course user can manually create such cookie in his browser (there are extensions which do that for Firefox, and you can always edit your browser's cookie store).
You could use the Apache module mod_rewrite to redirect requests of .html URLs to a PHP script:
RewriteEngine on
RewriteRule \.html$ script.php [L]
The requested URI path and query is then available in the $_SERVER['REQUEST_URI'] variable.
Put you cached files out of your web root, but still in a place where PHP can access them.