12 replies to this topic

[Tirus]

So I have a php script that uploads a file to a server, then inserts some info about the file into a mysql database.

I have changed some of the php.ini settings to get to where I am now, that is, to the point where the file uploads successfully and the info is inserted into the database. The script works great with small files. I am currently trying to upload a file of 18 mb.

The problem is, that once the file gets uploaded and the info is inserted, i get re-directed to my login page, as if the session had expired (since all pages require the session). I have changed session.gc_maxlifetime and session.cache_expire, separately and together, and still it seems that the session ends.

What should be happening, according to my script, is that once the sql query is executed, if successful, it echos that the file was uploaded and returns the user to the main upload page. If there is an error, it should say that there was one and then reload the page. Neither of these happen..instead I get sent back to the login page. Anyone know why this would happen?

Is my session actually expiring...if so, anyone know why?

Thanks,

Tirus

[rc69]

Since there is no code to currently refer to, i'm going to ask the obvious question: Are you calling session_start() at the start of the script, or some where in the middle? Also, is the session_id being passed correctly (or is it being handled by cookies)?

[JoeyMagz]

Either what rc69 said or you may need to add this to the top of your code before anything else:

<?php
Header("Cache-Control: Private");
?>

Thet helps php sort the data caches better. I find that when using sessions, this always helps out a lot. Let me know if that solves your problem.

Edited by JoeyMagz, 28 June 2008 - 01:19 AM.

[Tirus]

thanks for the replies guys.

rc69: yes, session_start() is called at the start of every script. I have not specifically created any cookies to pass the session id. What happens is when the user logs in, the script registers the variable 'username' and the variable 'id'. On every page, right after session_start(), the script checks if $_SESSION['username'] is set. If it isn't, the user is redirected to the login page.

JoeyMagz: thanks for the tip, but it does not seem to solve the problem.


However, rc69, your comment about checking that the session_id was passed correctly made me go back and re-examine what exactly was going wrong. I've created a simplified test php file with just the necessary code to detect where the mistake happens, here's the code:

if (isset($_SESSION['username'])) {
	
	$username = $_SESSION['username'];
	
	echo "Username is set and is equal to <strong>$username</strong>";
	} else {
	echo "Session Username is NOT set!";
}

So I log in, I go to this page (testing.php) and it says: "Username is set and is equal to Tirus." I then ran numerous tests where once I load the page, I just wait(which mimics what happens while a file upload is occurring). After a certain amount of time, I refresh the page. I came to the conclusion that after 2 minutes and 30 seconds, $_SESSION['username'] is no longer set and the script says: "Session Username is NOT set!". If I refresh the page before 2:30, the session variable is still set.

For my php.ini settings, I have changed:

max_execution_time = 600;
upload_max_filesize = 150M;
post_max_size = 200M;
session.gc_maxlifetime = 1440;
session.cache_expire = 1000;

If the session variables are expiring early, does that mean that the session is expiring pre-maturely?

So 2:30 translates into 150 seconds, and there is nothing on my phpinfo page that has that set. I've read on google that by default, session variables expire after 20 minutes. If that is true, why in the world are mine expiring/timing-out after only 2 minutes and 30 seconds?

Edited by Tirus, 28 June 2008 - 12:56 PM.

[JoeyMagz]

Is the server on your home computer or are you being hosted elsewhere? The only advice I can give is do a phpinfo(); and check to see what it says under session.cache_expire in there. If you see it's at 150 then you may need to ask the host to change that in their php.ini and restart their server. If you own the server then make sure you change it in php.ini and restart the server. You may need to stop the server then start it instead of using restart. Let me know if that helps at all. Also, if you own the server, phpinfo(); will tell you where the location of the php.ini file is that apache is using. Your server may not be using the php.ini you think it's using.

Edited by JoeyMagz, 28 June 2008 - 04:18 PM.

[Tirus]

Wow, ok so things just keep getting weirder

First, to answer your questions JoeyMagz:
The server is hosted elsewhere, and the phpinfo page reads the value of cache expire that i put in, which was 1000.

But here is the weird part, if anyone has some answers, I would be more than happy to hear them:

So I removed the custom php.ini file that I created, and voila!, the session/session variables do not expire after 2:30. I ran the same test as before, and after 8 minutes, everything was still ok. I then uploaded a custom php.ini file with nothing in it and I was back to the problem...so why on earth would a blank php.ini file cause problems. As far as I understood, creating a custom php.ini file simply changed the values you mention, leaving the rest to what the server ini file has.

So I am now at the point where I have removed my php.ini file and have added the following code to my upload file:

ini_set('max_execution_time','600');
ini_set('post_max_size','200M');
ini_set('upload_max_filesize','150M');
ini_set('session.cache_expire','1000');

set_time_limit(500);

I have change max_execution_time because well, uploading a file can take longer than the default 30 seconds.
I have changed post_max_size and upload_max_size since I will have files that are larger than the default 2M and 8M. I also added the session.cache_expire since the file would not upload with the first 3 alone, so I just put it in.
Lastly, set_time_limit(500) adds 500 seconds to the script execution time limit...not sure how that really works with max_execution_time but anyways (I think it may adds on to it).

The problem is...the file won't upload. First, I am going to assume that a php.ini file should not cause session variables to expire in 2 minutes and 30 seconds, so I assume I should talk to my host about that. Second, if I can't use a php.ini file, and have to resort to changing the ini settings from the php script, as I've done...what am I missing...the file won't upload - my page just gets reset.

JoeyMagz, rc69, anyone else...any ideas?

Thanks,

Tirus

EDIT:

I've modified my test php file to see if the ini settings are actually being changed. According to php.net, if the change is successful, the result returned is the old value that was set. If the change is unsuccessful, the result returned can be empty or false. With these tests, it seems that max_execution_time and _session.cache_expire are changed, however the two settings that I really care about (post_max_size and upload_max_size) are not...so I'm kind of stuck.

A while ago, someone suggested trying to change the settings with a .htaccess file. I tried this but got a HTTP 500 Internal Server Error...which according to the FAQS on my web host's site, explains that they only support certain directives...

Any ideas as to what I should do?

Also, let me just add that wow, Firefox is a lot slower at uploading files than Internet Explorer...an 18mb file goes on IE in 3 mins something, whereas Firefox is about about 5 1/2 mins.

Again, any and all help would be greatly appreciated.

Edited by Tirus, 28 June 2008 - 05:53 PM.

[JoeyMagz]

set_time_limit and max_execution_time don't add onto eachother.

After reading up on php.net I found that when submitting form data you should not use max_execution_time, instead use this:

ini_set('max_input_time', '600');

The reason being is that max input time is the time php will wait to gather form information, while max_execution_time is the time the script will wait to execute. I would just use the set_time_limit function and set that to about 650 while keeping max_input_time at 600. That should give the form more than enough time to gather the form information and execute the move commands, etc.

Another edit.

After some more reading into php.net I found out that when you're defining a filesize using ini_set() function you must use bytes. The shorthand (K, M, or G) may not be used. So your script should read:

ini_set('post_max_size','209715200');
ini_set('upload_max_filesize','157286400');

Edited by JoeyMagz, 28 June 2008 - 06:11 PM.

[Tirus]

JoeyMagz, on Jun 28 2008, 05:56 PM, said:

set_time_limit and max_execution_time don't add onto eachother.

After reading up on php.net I found that when submitting form data you should not use max_execution_time, instead use this:

ini_set('max_input_time', '600');

The reason being is that max input time is the time php will wait to gather form information, while max_execution_time is the time the script will wait to execute. I would just use the set_time_limit function and set that to about 650 while keeping max_input_time at 600. That should give the form more than enough time to gather the form information and execute the move commands, etc.

Problem though, according to php.net, the two settings that i need to change (post_max_size and upload_max_size) are not changeable within a script (they are PHP_INI_PERDIR, not PHP_INI_ALL..they are only changeable within the directory) so I would need to do this by .htaccess. I am currently trying to do this but it says there is a problem with my file:
(changed the directory for this post)

<Directory /leads/to/my/directory>
AllowOverride Options
php_value upload_max_size 150M
php_value post_max_size 200M	
</Directory>

I've never used .htaccess before so im not sure if im doing it correctly.

EDIT:
Just read your edit JoeyMagz, however even if that is true, i still cannot set it from within my script (see above)

I do appreciate your help though, if you have any more tips for the .htaccess file, that would be great!

Edited by Tirus, 28 June 2008 - 06:16 PM.

[JoeyMagz]

just create the .htaccess file and put this inside:

php_value upload_max_filesize 150M
php_value post_max_size 200M
php_value max_execution_time 600
php_value max_input_time 600

[Tirus]

JoeyMagz, on Jun 28 2008, 06:21 PM, said:

just create the .htaccess file and put this inside:

php_value upload_max_filesize 150M
php_value post_max_size 200M
php_value max_execution_time 600
php_value max_input_time 600

Gives:

Error in /path/to/directory/.htaccess: Invalid command 'php_value', perhaps misspelled or defined by a module not included in the server configuration.

Also, I read something about having to specify AllowOverride...

Edited by Tirus, 28 June 2008 - 06:31 PM.

[JoeyMagz]

<Directory /root/directory>
		Options -Indexes FollowSymLinks
		AllowOverride Options
		Order allow,deny
		Allow from all
</Directory>

That right there is what's supposed to be in the apache.conf file. Whether your host has that or not, I don't know. =/

EDIT

Just doing some more googling, It seems your problem may be that PHP is installed as a CGI binary instead of a module, which brings us all the way back to square one in which case you would need to create your own php.ini file. Seeing as you have tried that and it did not work, your host may be blocking clients from editting their ini file values. This is not uncommon with hosts so it may be the problem.

If you want to try and create your own php.ini file again try using these values in there:

upload_max_filesize 150M
post_max_size 200M
max_execution_time 600
max_input_time 600

Edited by JoeyMagz, 28 June 2008 - 07:22 PM.

[Tirus]

thanks for the help JoeyMagz, I really appreciate it.

I tried the custom php.ini file again, but like before, the session variables expired in 2 minutes and 30 seconds.

So I went with an alternative solution (although I'm still quite frustrated that what I've been trying to do does not seem to work...for no apparent reason).

What I do now is when the user logs in, I create a cookie and set it to session_id(). At the top of every page (its actually included in a header.php file), I have this script:

<?php
session_start();

$sid = session_id();

if ($sid === $_COOKIE["SID"]) {
	}else{
	header ("Location: login.php");
}

?>

Basically, I now check the session id stored in the cookie and compare that to the current session id. Unlike the session variables, the cookie does not expire after 2 minutes and 30 seconds, even with the custom php.ini file upload (so I can change the post_max_size and upload_max_filesize etc).

I just wanted to now ask if there are any security issues, flaws, loopholes etc that I should be aware of when using this method to validate sessions.

Basically, the cookie is created on my login page, checked on every page and then destroyed (by setting the cookie expiration to a time in the past) on the logout page, or when the browser closes.

Anything I should be worried/concerned/aware about?

Thanks,

Tirus

[JoeyMagz]

As with all websites there are plenty of security issues. It's all about how you block them though. The main security issue is that cookies are stored on a user's computer not on the server. Just make sure if you include a "stay logged in" feature that you strip any html entities of the cookie username and password. Other than that, you should be good. =D